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processors. In addition, the controller includes one or more 
rendezvous signals sent to and received by the main pro- 
cessors as well as a mechanism for updating the time clocks 
based on a clocking midpoint of all processor signals. 
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METHOD AND APPARATUS FOR puter systein having a triple modular redundant (TMR) 

PROCESSING CONTROL USDs'G A architecture. The controller consist of three identical 

MULTIPLE REDUNDANT PROCESSOR channels, except for the power modules which arc dual- 

CONTROL SYSTEM redundant. Each channel independently executes the appli- 

5 cation program in parallel with the other two channels. A 

RELATED APPUCATIONS voting system with voting mechanisms which qualify and 

verify aU digital inputs and ou^uts from the field; analog 

Tliis application is a non-provisional application relying inputs are subject to a mid-vahic selection process, 

on the benefits of a prior filed provisional application Scr. Each dianncl is isolated from the others, oo single-point 

No. 60A12,S32 filed on Dec. 18, 1998, widdb is incorpo- failure in any chaimcl can pass to another. If a harthvare 

rated herein by reference. failure occurs in one channel, the faulty channel is overrid- 
den by the other channels. Repair consists of removing and 

BACKGROUND OF THE INVENTION replacing the failed module in the faulty channel while the 

controller is online and without process interruption. 

1. Field of the Invention T he controUer of the present invention features tripUca ted 
The field of this invention related to computerized control main processor modules (MP ), input/output modiUes (I/O) 

systems for gathering sensor data from field units and I nd optionally one or two Local CoihmUfllcatiODS m oaiiles 

triggering alarms or taking other actions based on the sensor f LOvft. Each I/O module ho uses the circuitrv foTlhree 

data with respect to such control elements. More particularly inde pendent channels . Each channel on the mput modules 

this invention relates to multiple processor control units r eads th e-jno cess daU and passes UjaTinlormatioD to its 

which are synchronized and evaluate sensor data for valid 20 j^spe^tive MP. Th e three MP co mmunicate with each other 

data. u^n^ ^' Ei^- spee^bus called Channel 11 

2. Related Art iThe system is a scan based system and once per scan, the 
Many multiple processor control systems arc available in MP module synchronizes and communicate with the neigh- 

thc related art. These include systems as typified by U.S. Pat. MPs over the Channel U. The Channel 11 forwards 

No. 5,455,914 to Hashemi, ct at includes a multiple module copies of all analog and digital input data to each MP, and 

processor whit* is controlled from a central computer compares output data from each MR The MPs vote the input 

station. data, execute the application program and send outputs 

U.S. Pal. No. 4,616,312 to Uebel, describes a two-out- generated by the appUcation program to the output modules, 

of-thrte selecting facility in a three^mputer system for a 30 1° <^^^^^^' °"tput data on the output 

Triple Redundant Computer System which is especially ^^o^ules as close to the field as possible to detect and 

suitable for use with microprocessors having a large number compensate for any errors that could occur between the 

of outputs. The computers of the three computer system Channel 11 voting and the final output driven to the field For 

handle the same processor informaUon in parallel, but ^^"^^ ' controUer can support an opUoo 

exchange their results in an asynchronous mamier and 35 hot^are modu e. If present, the hot-spare takes control if a 

compares them detected on the primary module durmg operation. 

T,\, „ . n^i- • . 1 J The hot-spare poskion is also used for the online-hot repair 

U.S. Pat. No. 4,627,055 to Mon, c al. dcscnbes a ^ ? i/o module, 

dccentrahzed processing method and sj^tem h^vmg a pht- ^ ^^^^ ^^^^ ^^^^^ ^ ^ ^^^^^^^ 

ralily of subsystems of the same type which arc connected [ a a a- * am^ 

U> uiolh/r. Each subsysKrm his . di.gK.sUc mean for « ^ f "^"J"" ^° 

diagnosis of failure in Ibe oVr subsystems and functions to ""^o' «° "'^ ■mn'S" dau exchanged 

. between the MP arid the 1/0 modules. A triplicated I/O bus, 

take suitable counter-measures. ^^^^^ ^^^^^ ^^^^ ^^^^ 

U.S. Pat. No. 5,239,641 to Horst, for a method and a ^^^j^ ^^^^^^^ ^^^^ ^^^^^ ^us 

apparatus for synchronizmg a phirahty of processors. Each ^,^^^,1^^ ^ ^^^^^^ ^ expanded. Each MP 

processor runs off its own independent clock, indicates the appropriate channel of the I/O bus and the VO bus 

occurrence of a predescribed processor event on one Ime and transmits new input data to the MP on the poUing channel, 

receives signals on another hne for imuatmg a processor ^he input data is assembled into a table in the MP and is 

wait state. stored in memory for use in the voting process. 

However, the I/O architecture of the present invention is y^p^j ^^^^^ j^p transferred to its neigh- 

fundamcntally different from prior systems, in that the prior boring MP over (he Channel 11 . After this transfer, voting 

systems rely on intelligent I/O modules, with one micropro- pj^ce. The Channel 11 uses a programmable device 

cessor per leg per module, while the present invention relies ^jj, ^ memory access to synchronize, transmit, and 

on centralized I/O logic, with one microprocessor per leg, compare data among the three MPs. 

controlling all the I/O modules. A degree of local intelli- ^ aisagrcemcnt occurs, the signal value found in two of 

gence on each I/O module is implemented through gate ^^^^ tablcs'prevails, and the third table is corrected accoid- 

array logic, acting primarily as a slave to the main processor. ^^^^ ^^^^^^ j^t^ about necessary correction in 

This architecture reduces the component cost and elraimates memory. Any disparity is flagged and used at the end 

the significant size of such system which are usually housed ^^^^^ ^^^^^^ determine 

inacentraIlocalion.AumquesynchromzaUonsystemkeeps ^ whether a fauh exists on a particular module, 

the local clocks in synchronizaUon. The MPs send corrected data to the appUcation p rogram 

nie present invention provides a system which is and then executes the application program inlS^Pwit h 

intended to operate adjacent the equipment being controlled. th ejcighboriife M P and generates a table of output value s 

ciTk^kiTADv nc Tuc Tia\rcMTrr»M that are basco on tne~taDic 01 input values according to 

SUMMARY OF THE INVENTION ^5 tij^ rndefaned rule^. I bt l^U^hlrg Urocessor on each MP 

Hic control system of the present invention comprises a "" manages tde Uans mi&s ion of output data to the outpu t 

fault tolerant controller, control system platfiDim or com- modules by means ot the I/U bus. 
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Using the table oul output values, the [/O control proces- 
sor generates smaller tables, each corresponding to an indi- 
vidual output module. Each small tabic is transmitted to the 
appropriate channel of the corresponding output module 
over the I/O bus. For example, MP A transmits the appro- 
priate table to channel A of each output module over the I/O 
bus A. The transmittal of output data has priority over the 
routine scanning of all I/O modules. 

Each MP provides a 16-mcgabyte DRAM for the user- 
written application program, sequeoce-of-evenis (SOE) 
tracking, and I/O data, diagnostics and communication buff- 
ers. The application program is stored in Oash EPROM and 
loaded into DRAM for execution. The MPs receive power 
from redundant 24 VDC power sources. la the event of an 
external power failure, all critical retentive data is stored in 
NVRAM. A failure of one power source does not aflfeci 
controller performance. If the controller loses power, the 
application program and all critical data are retained. 

In addition, each MP can provide direct development and 
monitoring computer support and Modbus communication 
Each MP provides one (IEEE 8023 Ethernet) Development 
System computer port for downloading the application pro- 
gram to the Trident controller and uploading diagnostic 
information., one Modbus RE-232/RS-485 serial port which 
acts as a slave while an external host computer is the master. 
Typically, a distributed control system (DCS) monitors and 
optionally updates the controller data directly through an 
MP 

The triplicated I/O bus is carried baseplatc-to-bascplatc 
iKing Interconnect Assemblies, extender modules, and I/O 
bus cables. The redundant logic power distribution system is 
carried using Interconnect Assemblies and Extender mod- 
ules. 

Tlie Channel U, which is local to the MP baseplate, 
consists of three independent, serial links operating at 25 
Mbaud. It synchronizes the MPs at the beginning of a scan. 
Then each MP sends its data to its upstream and downstream 
neighbors. The Channel 11 takes the following actions: 
transfers input, diagnostic and communication data, com- 
pares data and flags disagreements for the previous scan's 
output data and application program memory. A single 
transmitter is used to send data to both the upstream and 
downstream MPs. This ensures that the same dau is 
received by the upstream processor and the downstream 
processor. 

Field signal distribution is local to each I/O baseplate. 
Each I/O module transfers signals to or firom the field 
through its associated baseplate assembly. The two I/O 
module slots on the baseplate tie together as one logical slot. 
A first position holds the active I/O module and the second 
position holds the bot-spare I/O module. Each field connec- 
tion on the baseplate extends to both active and hot-spare I/O 
modules. Therefore, both the active module and the hot- 
spare module receive the same information from the field 
termination wiring. 

The 2 Mbaud triplicated I/O bus transfers data between 
the I/O modtilcs and the MP. The I/O bus is carried along the 
DIN mounting rail and can be extended to multiple DIN 
rails. Each channel of the I/O bus runs between one MP and 
the corresponding channel on the I/O module. The I/O bus 
extends between DIN rails using a set of three I/O bus 
cables. 

Logic power for the module on each DIN mounting rail 
draws power &om the power rails through redundant 
DC-DC power converters. Each channel is powered inde- 
pendently from these redundant power sources. 
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The controller of the present invention incorporates inte- 
gral online diagnostics. These diagnostics and ^ecializcd 
fault monitoring circuitry arc able to detect and alarm all 
single fault and most mullqjlc fault conditions. The circuitry 

5 inchidcs but is not necessarily limited to I/O loop-back, 
watch-dog timers, and loss-of power sensors. Using the 
alarm information, the user is able to tailor the re^onsc of 
the system to the specific fault sequence and operating 
priorities of the application. 

10 Each module can activate the system integrity alarm, 
which consists of normally closed (NC) relay contacts on 
each MP Module. Any failure condition* including loss or 
brown-out of system power, activates the alarm to summon 
plant maintenance personneL 

The front panel of each module provides light-emittin g- 
diode ( LED) indicators that show the status of the module or 
tne external systems to which it may b e connecte d, FA SS, 
FAULT, and ACTIVE are common indicators. O T^iJfldi- 
catnrs are module — st>ecific. A common md^e housi ng 

20 structure which accepts all g yaii^>oards f or^ the vanou s 
modules 

Normal maintenance consists of replacing plug-in mod- 
ules. A lighted FAULT indicator shows that the module has 
detected a fault and must be replaced. 

^ All internal diagnostic and alarm status data is available 
for remote loggftig and report generation. Reporting is done 
through a local or remote host computer. 
Additional special features include fault testing of chan- 

^ nels through a loop-back through the base plate to ensure 
that the transmitting module is accurately transmitting data, 
and status information. 

The MP modules running in parallel rendezvous each scan 
to vote, and run the appUcation program. At each rendezvous 

35 the modules are time synchronized by the adjustment of 
their time clocks by a specific amount. Dependent on the 
disparity between time clocks cither a positive or a negative 
adjustment is made to those clocks out of synchronization. 
A System Executive runs the application program dcvcl- 

40 oped by a control engineer for a specific industrial site which 
is downloaded from a development PC. A System Input/ 
Output Executive facilitates communication with the input/ 
output modules and the System Executive. Both the System 
Executive and the System Input/Output Executive arc rcsi- 

45 dent on each MP processor modules. 

Each processor module MP consists of two semi- 
independent designs, the processor section and the input/ 
output section. The processor section is dedicated to the 
System Executive and associated firmware, the input/output 

SO section is dedicated to System Input/Output Executive and 
associated firmware. There are three processor modules in a 
system. 

T bg three processor modules communicate with ea ch 
other via an inter-processor bus called the Channel 11. T he 

55 Chflnnel U is a high speed fault tolerant communicat ion 
path between the processors and is used primarily used f or 
voting data. The t hree processor modules are time synch ro- 
ni7£d with eacti otner by a tault tolerant subsystem called t he 
s ^chronization system. Each processor module con\g ins 

60 t ^o ports that can be used for interface \yith a developmen t 
computer system or as a slave 'mtertace. l^ch njjyessnr 
m odule also contains one optional portjor System Executi ve 
dev(;ia]pmRnt , nr l^AN 5iup| Ki'rt. li e System Executive fbr^ 
e ach processor modu le communicates with its compair ton 

65 In put/Outpu t section lor tnat processor via a sh ared mem ory 
in tertace. Each lopuUiJutput WtiCin commiinicates"witfi^a t 
least one Input/Ou^ut module via a triplicated communi- 
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c ations bus. Eadi processor module also communicates with FIG. 14 Main processor board block diagram with dual 

at Icasf^olS' communications module via a tripl icated com- power source 

municatioDS bus. The cp mrnuoicatiDn mocfiHe provi des FIG. 15 Power board block diagram 

T CPjh' uciwrnSm connections to the development PC and mounting structure and arrangement 

nr<; hn<ts Tbe cnmnniniratinn mofhilc also p rovitles Svcl- 5 i 

— ■ ■■"Tirvi c j7 Profile of enclosure and mtcrlock mechanism 

opmcnt and slave mtcrtace ports. 

-- ^gverrmt^nnect tees couple ea^TZATpro i^r F*GS. 18A-18E Faceplate covets 

modules together to form the System Controller. Each Tegof FIGS. 19A-19B Mam processor 

the System controller is controlled py separate _procesK )r FIGS. 20A-20B Baseplate digital In base plate and con- 

i nodules and each processor modiile operates in parallel wit h lo ncctors 

t he other two processor modules, as a member of a triad. Th e FIGS. 21A-21B Baseplate digital out base plate and 

i nput/output executive scans each input/output module vi a connectors 

thejBiaUMtetlUlJlS ^ eachJaput/Qptput module is pj^g 22A-22B Baseplate analog in base plate and con- 

s canned. the new input data is fl-ansmitted by the mpu t/ neclors 
output mod ule to proce ssor module via shared memo ry 15 

l o cated on the prlnt^ circuit board su p porting the process /r FI^S. 23A-23B Baseplate registers out base plate and 

module and tfae mpui/output iSSS^e. connectors 

•T^TFrocessor module stores the input data into an input ^G. 24 FPGA register structure 

table in its memory for evaluation by the apphcation pro- FIG. 25 Time synchronization diagram 

20 

e^^' DESCRIPTION OF THE SPEQFIC 

Prior to the application program evaluation, the mput EMBODIMENT 
table in each processor module is compared with the input 

tables on the other processor modules via the Channel 11. FIG. 1 is an overall block diagram of the control system 

The Channel U is a three channel parallel to serial/serial to which inchides a Main processor 1, I/O modules 2, com- 
parand communications interface with DMA controUer, ^ munication modules 3 and dual redundant power suppUes 4. 

hardware loop-back fault detection, CRC checking and OVERVIEW 
processor module to processor module electrical isolation. 

Hie complete input data in the table for each MP/IOP FIG- 2, shows a typical system configuration in more 
module 1 is transferred to the other MP/IOP module 1 in the detail, which inchides triple MP/lOP modules 1 (Sometimes 
system and then "voted" by the System Executive firmware referred to interchangeably as LMP/UOP in the spccifica- 
SX 15'. After the Channel 11 transfer and input data voting tioa and drawings) having an MP(A) la, an MP(B) lb and 
has corrected the input vahies, the values are evaluated by an MP(C) Ic assembly and may include up to six VO 
the application program. The application program is assemblies of various types of I/O modules. Two I/O mod- 
executed in parallel on each processor module by the ules 2« and 2fc are illustrated. Assemblies arc configured into 
MPC860 microprocessor which forms the processor mod- a system on a mounting base plate as shown in FIGS. 5 Aand 
ule . The application program generates a set of output values 5B using interconnect assemblies, extenders, I/O bus cables 
based upon the input values, according to the nUes built in (used to join I/O columns), and I/O bus terminators, I/O 
to the program by the Control Engineer. The processor modules communicate with the MPs by means of a 
section transmits the output values to the Input/Output ^ triplicated, RS-485 bi-directions communication bus, caUcd 
section via a shared memory. The processor section also the I/O bus 13. 

votes the output values via Channel 11 access to detect As noted above the present invention comprises a fault 

faults, i.e. non-compUant component. The input/output mod- tolerant controller 31 comprising a u^iple modular redundant 

ule separates the output data corresponding to individual (TMR) architecture. The controller includes three identical 

Input/Output modules in the system. Output dau for each channels, Channel A, 13a, Channel B, 136, and Channel C 

input/output module is transmitted via an Input/Output bus 13c except for the power modules which are dual-redundant, 

to the Input/Output modules for application to field units. Each MP, MP(A), la, MP(B), lb, M?{C), Ic on the channel 

BRfFP nPSCRIPTinK OF THE DRAWINGS independently executes the application program in parallel 

BRIEF DESCRIPTION Oh IHt URAWINOS ^^^^ j^p^ y^^^ mechanisms qualify and 

HG. 1 Control system overall block diagram verify aU digital inputs and outputs from the field 34; analog 

HG. 2 Detailed overall block diagram inputs are subject to a nud-valuc selection process. 

FIG. 3 I/O Module blodc diagram Each channel 13 is isolated from the others, no single- 

HG. 4 Main processor module block diagram Poi°t failure in any channel 13 can pass to another. If a 

Pfrc <A_TO n '1 mrtiini hardware failure occurs in one channel 13, the faultily 

t|io& nail mount ^^^^^ ^ overridden by the other channels. Repair 

n^^u ^^^^ Of removing and replacing the failed module in the 

FIG. 7 MP/IOP board blodt diagram ^^^^^ channel while the controller is online and without 

FIGS. 8A-^B Flow of program support for application process iniemiption. 

program As shown in FIG. 2, each I/O module houses the circuitry 

HGS. 9A-9B FPGA block diagram ^ independent channels 13a, 136, and 13c each 

HG. IDA Minimum system block diagram channel serviced by an FPGA 30a, 30ft, 30c, as shown in 

HG. lOB Urge system block diagram piG. 3. Each FPGA30 on the channels on the input modules 

FIGS. IIA-IIB Communication paths for data capture reads the process data from the field drcuiUy 32a, 32b, and 

and time synchronization 32c and passes that information to the respective MP module 
FIG. 12 Communication modules blot^ diagram 65 1. 

FIG. 13 Enclosure diagram inchidiog heat dissipation The tiirec MP/IOP modules 1 communicate with each 

pads and jackscrcw other using a high-speed bus inter-MP bus called a channel. 
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11. The system is a scan based system and once per scan, the MP modules 1 receive power from redundant 24 VDC 

MP modules 1 synchronize and communicate with the power sources. In the event of an external power failure, all 

□cighboiing MP modules 1 over the Channel 11. The Chan- critical retentive data is stored in NVRAM. A faihire of one 

ocl 11 forwards copies of all analog and discrete input data power source docs not afifect controller performance. If the 

to each MP module 1. Each MP module 1 compares its input 5 controller loses power, the application program and all 

table data with the input table data for all other MP modules critical daU arc retained. 

1. The MP modules 1 vote the input data, execute the in addition each MP module 1 can provide direct devel- 

application program and send outputs generated by the opmcnl and monitoring computer 6 support (Development 

application program to the output modules 2a, 2b and 2b'. In System) and Modbus 5 communications. Each MP module 

addition, the controller 31 votes the output data at the 10 1 provides one (IEEE 802.3 Ethernet) Development System 

FPGAs 30a, 30£> and 30c on the output modules as close to computer port for downloading the application program to 

the field as possible to detect and compensate for any errors the controller and uploading diagnostic information. One 

that could occur between the Channel 11 voting and the final Modbus RE-232/RS-485 serial port which acts as a slave 

output driven to the field 34. For each I/O module 2, the while an external host computer is the master. Typically, a 

■ controller 31 can support an optional hot-spare module 2' as 15 distributed control system (DCS) monitors and optionally 

shown in FIG. 2. If present, the hot-spare takes control if a updates the controller 31 data directly through an MP 

fault is detected on the primary module during operation. module 1 connection. 

The hot-spare position is also used for the online-hot repair j^^^ triplicated I/O bus 13 is carried baseplate-to- 

of a faulty I/O modules. baseplate using intercoimect assemblies, extender modules, 

The MP modules 1 each control a separate channel and 20 ijq ^us cables and the like mounted on a rail 66 as 

operate in parallel with the other two MPs. A dedicated I/O shown in FIGS. 5A & SB. The redundant logic power 

control processor lOX 17' on each MP/IOP module 1 as distribution system is carried using interconnect assemblies 

shown in FIG. 4 manages the daU exchanged between the and extender modules on the rail thus permitting expansion 

MP/IOP module 1 and the I/O modules 2. A triplicated I/O on the rail or to multiple rails. 

bus 13, located on the base plates may be extended from one 25 jj^^ Channel 11, which is local to the MP module 
column of I/O modules 2 to another column of I/O modules baseplate, consists of three independent, serial links opcr- 
2 using 10 bus cables. In this way the s>«tem can be a^ng at 25 Mbaud. The TriBus channel is used to synchro- 
expanded. Each MP module 1 poles the appropriate channel ^{^c the MP modules 1 at the beginning of a scan. Then each 
13 of the I/O bus 13 and the I/O bus transmits new input data module 1 sends its data to its upstream and downstream 
10 the MP module 1 on polling the channel. The input data 30 ugigt^boring MP modules 1. The Channel 11 transfers input, 
is assembled into an input table in the MP module 1 and is diagnostic and communication data, compares data and 
stored in memory for use in the voting process. disagreements are flagged by the MP modules 1 for the 

Referring to FIG. 2, each input table in each MP module previous scan's output data and application program 

1 is transferred to its neighboring MP module 1 over the memory. A single transmitter is used to send data to both the 

Channel 11. After this transfer, voting takes place. The upstream and downstream MP modules 1 by a transmitting 

Channel 11 uses a programmable device with a direct MP module 1. This facilitates reception of the same data by 

memory access to synchronize, transmit, and compare data the upstream processor and the downstream processor, 

among the three MP modules lo, lb and Ic. Field 34 signal distribution is local to each 1/0 baseplate. 

If a disagreement occurs, the signal value found in two of ^ Each I/O module transfers signals to (in the case of an output 

three Ubles prevails, and the third table is corrected accord- module 2) or from the field (in the case of an input module 

ingly. Each MP module 1 maintains data about necessary 2) through its associated baseplate assembly. There are two 

corrections in local memory. Any disparity is flagged and I/O module slots on the baseplate tie together as one logical 

used at the end of the scan by built-in fault analyzer routines slot as shown in FIGS. 3A and 5B; a first position holds the 

to determine whether a fault exists on a particular module. active I/O module 2a and 2b and the second position holds 

Each of the MP modules 1 sends corrected data to the the hot^are I/O module 2a' and 2b\ Each field 34 connec- 

application program and then executes the appUcation pro- tion on the baseplate extends to both active and hot-spare I/O 

g?L in paraUel with the neighboring MP modules 1. The "modules 2a^ and 2b'. Therefore, both the active module 2« 

application generates a table of output vahies that result and the hot-spare module 2rf receive the same informaUon 

from the table of input vahies according to user-defined 50 from the field 34 termmaUon winng in the case of Input ai^^ 

rules. Hie I/O control processor lOP 17 on each MP module in the case of output module 2b and the hot spare module 2b 

1 manages the transmission of output data to the output sent the same informaUon m the case of output 

modules 2a by means of the I/O bus 13. Using the table of The triplicated I/O bus 13 transfers data between the I/O 

output values, the I/O control processor 17 generates smaller modules 2 and the MP modules 1. The I/O 13 bus is carried 

Ubles, each corresponding to an individual output module 55 on a DIN mounting raU 66, as shown in HGS. 5A and 5B 

2a where there are multiple output modules 2a. Each small and can be extended to multiple DIN rails 66. Each channel 

table is transmitted lo the appropriate channel of the corre- 13 of the I/O bus 2 runs between one MP module 1 and the 

spending output module 2a over the I/O bus 13. For corresponding channel on the I/O module 2. 

example, MP module (A) la transmits the appropriate table Logic power for the modules on each DIN mounting rail 

to (diannel A of each output module 2b and 2b' 1/0 bus(A) so 66 draws power from the rails through redundant DC-DC 

13a. The transmittal of output data has priority over the power converters. Eadi channel is powered independently 

routine scanning of all I/O modules 2. from these redundant power sources. 

Each MP module 1 provid es a 16-megabyte DRAM fo r The MP/IOP module 1 monitors each of the three input 

thf, {);ger^vntlen appllcatlfln program, sequence-of-even ts channels 13a, 136 and 13c measures the input signals from 

(SOE) traddng , and I/O data and data ta bles, diagnostics a nd 65 each point on the baseplate asynchronously, determines the 

ri ^f U piinirat iiiriMlillrihi'T'''" 'j'l''" iH^^'i pM'tji -^i" is Stored in respective states of the input signals, and places the vahics 

fl ash EPRQM and loaded into DRAM for execution.. The into input tables A, B and C respectively. Each input table ia 
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each MP module 1 is intcnogatcd at regular inteivals over designed to check outputs which typically remain in one 

the I/O bus 13 by the lOP processor 17 located on the sUtc for long periods of lime. The OVD strategy for a DO 

corresponding MP/IOP module 1, for example, MP module Module ensures full feult coverage of the ou^ut circuitry 

A (Iri) would interrogate Input Table A 1 over I/O Bus A even if the commanded state of the points never changes. 

(13fl). 5 On an AI Module 2c, as shown in FIG. 6, each I/O FPGA 

The I/O modules are specific in application or function 30 on channel 13 measures the input signals asynchronously 

and functionality may be expanded as required by the and places the results into an input table of values. Each 

addition of additional functional modules. Referring to FIG. input table is passed to the associated MP module 1 using the 

6, the interfaces for the controller 31 are shown to include corresponding I/O bus 13. The input table in each MP 

I/O modules 2 configured as a Digital Input Module 2fl (DO, i° module 1 is also transferred to its neighbors across the 

a Digital Output module, 2 A (DO) an Analog Input module Channel 11. A middle vahie is selected by each MP module 

2c (AI) an Analog Output module 2d (AO), a Relay Ou^ut 1, and the input table in each other MP module 1 is corrected 

module 2e (RO) and a Relay Input Module 2/(RI). accordiiigly. In TMR mode, the mid-valuc data is used by 

The Digital (Discrete) Input Module 2a contains the the appUcation program; in duplex mode, an average is iised. 

circuitry for three identical channels 13 as shown in FIG. 3 An analog output (AO) module may also be mchided for 

as 13fl, 13b and 13c (A, B, and Q. Although the channels "i^log adjustment of an analog driven parameter, 

reside on the same module 2, Ihcy arc completely isolated The Relay Output (RO) and Relay Input (RI) Module is 

from each othe r and operate indcpcnde ntly. Each channc 1 13 a non-triplicated module for use on non-critical points which 

contains an applicatbn-specific integrated circuit (ASIC) are not compatible with high-side, solid-state output 

which handles communication with its corresponding MP ^ switches; for example, interfacing with entmciator panels, 

module 1, and supports run-time diagnostics. Each of the The RO Module receives output signals from the MPs on 

three input channels measures the input signals from each each of three channels. The three sets of signals are then 

point on the baseplate asynchix)nously, dctcnmincs the voted, and the voted data is used to drive the 32 individual 

respective states of the input signals, and places the values relays. Each output has a loop-back circuit which verifies the 

into input tables A. B and C respectively. Each input table is " operation of each relay switch independently of the presence 

interrogated at regular intervals over the I/O bus by the I/O of a load. Ongoing diagnostics test the operational status of 

communication processor located on the corresponding MP, the RO Module. 

for example, MP A into negates Input Table A over I/O Bus Special self -test circuitry is provided to detect and alarm 

A as shown in FIG. 2. A redundant or hot spare is illustrated all stuck-at and accuracy fault conditions in less than 500 

as 26', ^ milliseconds. 

Special self-test circuitry is provided to detect and alarm DETAILED DESCRIPTION 
all stuck-at and accuracy fault conditions m less than 500 

milliseconds and allows unrestricted operation under a van- Each I/O module 2 is designed to operate direcUy from 

ety of multiple fault scenarios, redundant 24 VDS power sources as shown in FIG. 14. 

Hie input diagnostics are specifically designed to monitor Logic power is carried baseplate -to-baseplatc, allowing a 
devices which hold points in one state for long periods of signal logic power connection per column. The power 
time- The diagnostics ensure complete fault coverage of conditions circuitry is protected against over-voltage, over- 
each input circuit even if the actual state of the input points temperature, and over-load condiUons. Integral diagnosUc 
never changes 40 checks for out-of-rangc voltages and over- 

-nie DO (Digital Output module) module 2b also contains temperature condiUons. A short on a chamiel 13 disables the 
the circuitiy fiDr three Sentical, isolated chamiels 13. Each P°^" «8^^t°' ^^^^"^S ^ P°^^^ 
channel and includes an ASIC which receives its output The controUer 31 of the present invenUon incorporates 
Uble from the VO communication processor 17 on its integral online diagnosUcs. Hiese diagnosucs and special- 
corresponding main processor MP module 1. AU DO mod- 45 ^^'^ ^^^^^ monitoring circuitry are able to detect and alarm 
ules 2b use special quad output circuitry to vote on the all single fault and most multiple fault condiUons. The 
individual ou^ut signals just before they are applied to the circuitry includes but is not necessarily lunited to I/O 
load. This voter circuitry is based on paraUel-scries paths loop-back, watchdog timers, and lossof power sensors, 
which pass power if the drivers for channels A and B or Using the alarm informaUon, the user is able to tailor the 
channels B and C, or channels A and C command them to 50 '^^P^°^ of the system to the specific fault sequence and 
close. In other words, 2 out of 3 drivers are voted "on". The operaung prionUes of the application, 
quad output circuitry provides multiple redundancy for all Each module can activate the system integrity alarm, 
critical signal paths, guaranteeing safety and maximum whidi consists of normally closed (NC) relay contacts on 
availability. each MP/IOP module 1. Any failure condition, including 

ADO module executes an output voter diagnostic (OVD) 55 loss or brown-out of system power, activates the alarm to 

routine at a predetermined time on each point OVD detects summon plant maintenance personnel, 

and alarms two different types of faults. The first is The front panel of each module provides light-emitting- 

"points"— aU stuck-on and stuck-off points are delected in diodes (LED) 41 indicators as shown on HG. 16 that show 

less than 500 milliseconds. The second is "switches" — all the status of the module or the external systems to which it 

stuck on or stuck-off switches or their associated drive 60 may be connected, PASS, FAULT, and ACTIVE are com- 

circuitry arc detected. During OVD execution, the com- mon indicators. Other indicators arc module — specific, 

manded state of each point is momentarily reversed on one Normal maintenance consists of replacing plug-in mod- 

of the output drivers, one after another. Loop-back on the ules. A lighted FAULT indicator shows that the module has 

module allows each ASIC to read the output value foi the detected a fault and must be replaced. All internal diagnostic 

point to dctenniDC whether a latent fault exists within the 65 and alarm status data is available for remote logging and 

output circuit The output signal transition is less than 2 report generation. Reporting is done through a local or 

miUisccond and is transparent to most field devices. OVD is remote host computer. 
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Addiliond special features indudc fault testing of chan- Control Engineer for a particular industrial control system, 

ocls through a loop-back through the base plate to ensure To provide this environment, the SX 15* is engaged in 

that the transmitting module is accurately transmitting data, performing the following steps as shown in FIGS. 8 A and 

and status infonnation. SB: 

The MP/IOP modules 1 ninning in parallel rendezvous 5 1. Receiving Ii^uts frotn the lOP 17, step 301; 

each scan to vote, and run the application program. At each 2. Miting Inputs for the application program, step 30(2; 

rendezvous the MP/IOP modules 1 are time synchronized by 3 i;)o^oading appUcaUon programs (All and Changes), 
the adjustment of their time cbcks by an amount required to 

bring them into synchronizatioD. Dependent on the disparity i- . ^nA 
between lime clocfo either a positive or a negative adjust- 10 ^- Executmg apphcauon programs, step 304; 

mem is made to those clocks out of synchronization. 5. Sending outputs to the lOP 17, step 305; 

Re ferring a^ain to FIG. 4, the p referred maio proces sor 6- Sending Configuration Information to the lOP 17, step 

( MPJIS) CPU IS a Motorota MPChbU operatiSjTtglTMH z 306; 

wi th'fJ|J.enahl«^- iT ir 7. Processing messages from Communications Modules 

MP 15 uses the foUowing components of the MPC86 0, LCM, step 307; 

RT.SC evil. 4 Kbyte data ca'cHel^TKhvlfi-mslnicHon c^he. g Verifying the integrity of the hardware, step 308; 

MMU, Memory controller. Time base for a re^me ^ j^^^^^^^^ ^^^^^ Sj^^^ RcqMcsis, step 309; and 

clock. I nterrupt controller used for all serial and D MA ^ r 

c hannels. Channel 11. alnTsynchro nization system m Return for more mputs. step 310. 

int errupts the PC 860 Parallel port iTused for LEDHE d ^ SX 15" firmware executes Uic apphcalion progrmn 

^i ^lnea.s I/O. C.n^municaHnns Pmc l^^^^IIi^dl^er f nera^^^ by the user and down loaded from ^development 

pnTn miinirfltrtr-i " °^ computcr system as shown m FIG. lOA- The 

^W^T^^r*^ m<n/T/^n a. i 1 • .14 application progTam uses Digital and Analog lOP loputs and 

TheMainPro«ssor,MPAOPmodulela,mp^ ^^^^ P^^^ iopT^output and communication 

'^J .^^in'S'^? a °^,^?Tp l }^"^ processor) ^^^^^^ synchronization between 

1 anpWOutpul PTf^^r). Also pn:'vid«l a^e ^^p^ ^ 

a Modbus port 5 which .s a Modicon prottx:ol port. The ^^^^^^ ^ ^ ^f^^ ^^^^ .^^^^ ^^^^ 

system supports actmg as a slave to t^ port 5 communica- ^^^^^^^^^^ the development system 35 and a 

tion link. A development system port 6 is also provide d h' t' 

t hrough w^di the applicat i o fl proffam^eveloped may b e ^ ^fsxTy runs in parallel on each of the three Main 

do vmloadcd from a developmcm PC or;^m erco^terand p^^^^ ^^^^^ synchroniza- 

^ th e controUer 31 momtored. Commu n icatioSTbTtwc^ ^ ^^^^^^ ^^^^ ^^^^^^^ 

r) mam prooessor MP 15 scctioi^ and other mam proccs ^r p^^^^^ 

, ^rry gg^, y[ Q?^" MP/IQP mocmics i taKes P aoc ovcr^e [J^^ synchronization by a combination of the time specific 

Cgnnci 11. U)mmumcation between the inputyuutput, pP ^^^^^ J ^^^^ 

scggpJZ^ag^ki^ lOPsec^io nslTtal^l^^^ sjuchronizaUon to rendezvous all of the Main Processors at 

ove r ihc lOP hUfi 14. Cyipmunications bet^^ enthe MF/IO^^ a maximum scan rate. The scan rate is selecUble by the user 

mo dulcl and oommunicftUgns CM m gdu lejjakc^ace over ^^^.^ of 10 ms to 450 ms. Once the rendezvous 

thcLC B bus y- ^ occurs, each SX 15' transfers informaUon tables between the 

Each MPyiOP module 1 is capable of operatmg m ^ ^^^^ Processors. SX 15' then determines what fiinc 

SINGLE, DUAL and TMR (Triple Modular Redtindant) ^^^^ ^^^ng the scan. These include 

modes. Each MP/IOP module 1 may control up to 56 I/O updating memory, running an application program, and the 

base-plate assemblies (LIO modules 2). The number of I/O like. 

base-plate assemblies varies based upon system options and Referring again to HG. 2 and HG. 4, the lOX 17' 

requirements for a given industrial or other installation. finnware executes on a separate 50 MHz MPC860 CPU, 

The lOP 17 uses the foUowing components of the located on the MP/IOP module 1. There are three identical 
MPC860: a RISC CPU, 4 Kbyte data cache, 4 Kbyte copies of lOX 17 firmware, on each MP/IOP module 1. 
instruction cache. Memory Management Unit, Memory These copies are referred to as legs A, B and Chased on the 
controller, a Time base, use for lOX 17' real time clock, j^Ip 15 they are nmning on. Each leg or channel (between 
Interrupt controller used for all serial and DMA channels, 5Q j^pg) has an upstream leg and a downstream leg, referred to 
Parallel port used for lOP 17 leg synchronization, and LEDs ^ yS and DS. The foUowing table defines the Upstream, 
and misceUaneous I/O, a Communications Processor, BDM uS, and Downstream, DS, mapping functions. The relation- 
Port, SCCl used for remote/expansion lOP bus, SCC2 used ^^^p illustrated in FIG. 11 showing upstream and down- 
for the LIO bus, SCC3 used for upstream lOP stream paths. Where u-upstream, d«downstream, m«>me, 
communications, SCC4 used for downstream lOP 17 55 t.tTS pulse, L«Loop-back capmre, C=Capmre. 
communications, SCM2 used for very low level hardware ^s shown in FIG, lOA, the typical minimum system of the 
and lOX 17' debug & development. The lOP 17 clock is present invention includes three MP/IOP modules; la, lb 
derived from the MP 15 50 MHz clock. and ic. At least one of these modules, la, may be conneaed 

As shown in FIG. 4 the MP 15 is dedicated to SX 15' (the to a appUcaUon program development computer 35 over a 
system executive) and associated firmware, the I OP 17 is eo development connection 6 to the system executive, SX 15'. 

dedicated to lOX 17' (the input output executive) and This connection permits a download of the apphcatioo 

associated firmware. Each MP 15 section also includes one program developed on the development system 35 to at least 

optional 802.3 port 10 for SX 15' development or LAN one of the three processors la, lb, Ic which toads the 

support Each MP 15 commimicates with its associated lOP program to the other two. Additionally, an interface over the 
17 via a shared memory interface 18 to memory unit 16. es Modbus S for each of the processors permits distributed 

The primary function of SX 15' is to provide an execution processor control system (DCS) and human machine inter- 
environment for a application program devebped by a face (HMI) communications over RS232/RS485 bus ports, 
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5b iad Sc. Each of the processors communicates over an 
LIO bus 13 OD independent interconnection lines 13a, 136 
and I3c as shown in FIGS. lOA and lOB. Eadi of the UO 
bus connectioDS interfaces with the Li O modules 2a and 2b, 
shown by way of example, each of which have triplicated 
FPGAs 30o, 2Qb, and 30c over bus 13a, 136 and 13c. Each 
FPGA is coupled to the field circuitry 32a, 326 and 32c 
respectively which receives field inputs 34 for the particular 
control system being monitored. The I/O modules may as 
noted above be configured for particular services, such as 
DI, DO, AI, AO, RO, RI and the like. 
Wiih reference to FIG. lOB, an alternate configuration of 

(the triplicated main processors la, 16 and Ic is shown 
utilizing dual communication modules 3a and 36 wliicfa 
provide the Modbus and Development serial links, but in 
addition provide external communication links for external 
communications. In this configuration the Modbus 5 and 
Development 6 ports on the MP/IOP modules la, 16, and Ic 
arc disabled. Each of the LCM modules 3a and 36 commu- 
oicalcs with each of the respective MP/IOP modules 1 over ^ 
communication lines 9a, 96 and 9c which arc coupled to the 
communication bus (LCB) of each of the main processors. 
FIG. lOB also shows additional UO modules 2c and 2d 
attached to the UO bus to ilhistrate that multiple UO 
modules 2 may be connected on the same UO bus 13. 
While the system of the present invention is shown as 
triplicated MP/IOP modules 1, muUiplc UO modules 2 and 
optionally one or more LCM modules 3, other configura- 
tions are possible to provide more or less, redundancy. As 
shown in FIG. 12, the IXM module 3 provides two 8023 
TCP/IP networking connections 24 (for peer to peer linking) 
and 25 (for development system 35 or DCS hosts linking). 
The LCM also provides RS232/RS485 ports 26, 27, and 28 
for supplemental bus and devebpment system linking. The 
LCM is based on a Motorola MPC860T and MC68360 
which is used as a communications co-processor. 

The system may also run with only one eadi of the 
various modules or combinations of multiple MP/IOP mod- 
ules 1, LCM modules 3 or UO modules 2. The System 
Executive, SX 15' of each MP/IOP modules 1 is responsible ^ 
for executing the application program downloaded from the 
Development PC 35. The System Input/Output Executive, 
lOX 17', communicates with the FPGAs 30 of the UO 
modules 2 and the SX 15'. Both SX 15' and lOX 17' are 
resident on the MP/IOP module in the MP 15 section and the 
lOP 17 section respectively. The UO modules convert 
physical inputs and outputs to communication messages. 

The MP 15 memory 16 inchides an FPGA 77 as shown in 
block diagram form in FIGS. 9A and 9B which contains the 
following MP/IOP functions: Channel 11 management, syn- 
chronization system management, the MP watchdog, the MP 
Hard reset management, the lOP watchdog, the lOP Hard 
reset management, Expansion flash prom decode routine, 
Modbus / LCM channel MUX, Fault LED oontrol, and 
Mode LED control. As shown in FIGS. 9A and 9B, the major 55 
block descriptions of the FPGA 77 software is as follows: 
RXi^chanoel, 80 VHDL module containing: Rx_recvr, 
Rx_pllh, Rx_crc and Rx_ctrL This module is used 
twice, once for the upstream channel and once for the 
downstream channel. 50 
Rx_rccvr, SOa Dual 5 bit de-serializcr, dual 5646 
decoder, symbol decoder and byte strobe generation. 
Operates from the received clock 
Rx_pllh, 806 Byte synchronization digital phase lock 
toop. Syntheses byte strobes from the received byte 65 
strobe. Operates torn the MPC860 50 Mhz clock 
divided by 4. 
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35 



45 



50 



Rx_cn:, 80c Calculates and checks the received CRCs, 
based upon a oiU)le polynomial lookup table for 
CRC32. Operates fi^om the MPC860 50 Mhz clodc 
divided by 4. 

Rx_ctrl, 80d Receive state machine. Decodes and 
sequences received bytes and request writes to the RX 
FIFO. Detects and handles receive channel errors. 
Operates from the MPC860 50 Mhz clock divided by 4. 

Tx__channcl 81 VHDL module containing: Tx_jmiitr, 
Tx_crc and Tx_ctrl 

Tx_xmitr, 81a Dual 4656 encoder, symbol encoder, dual 
5 bit transmit shift register and byte strobe generator. 
Detects and handles Transmit chaimel errors. Operates 
from the MPC860 50 Mhz clock divided by 4. 

Tx_crc., 816 Calculates and sends the transmit CRCs. 
Based upon a m'bble polynomial lookup table for 
standard CRC32. Operates from the MPC860 50 Mhz 
clock divided by 4. 

'I^_ctrl, 81c Receive state machine. Generates packet 
symbol sequences, header, header to data pad and data 
field sequence. Requests and reads bytes from the TX 
FIFO. Operates from the MPC860 50 Mhz clock 
divided by 4. 

Rx_fifo, 82 Contains 4-32 by 8 dual port SRAMs orga- 
nized as two 16 by 32 FIFCk. Also contains the receive 
channel byte to 32 bit word steering MUX. 

Tx_fifo, 83 Transmit channel HFO, contains 4-32 by 8 
dual port SRAMs organized as one 16 by 32 FIFO and 
1 by 32 bit word used for diagnostic CRC word storage. 
15 by 32 locations spare. 

Tb_dma, 84 DMA bus controller and channel arbiter. 
Handles requests from the Transmit and receive chan- 
nels for FIFO bus read and writes. Controls the 
MPC860 side on the 

Rx_fifo, Tx_fifo and all DMA address pointers (Tb_ 
addr). Communicates via signal pins with the external 
Bus PAL for DMA transfers. Operates from the 
MPC860 50 Mhz ctock divMed by 2. 

Tb_addr, 85 All DMA pointers: Transmit buffer descrip- 
tor page register TXBDP, Transmit bufiTcr descriptor 
index pointer TXBDI, Upstream buffer descriptor page 
register UPBDP, Upstream buffer descriptor index 
pointer UPBDI, Downstream buffer descriptor page 
register DNBDP, Downstream buffer descriptor index 
pointer DNBDI, MPC860 Address bus MUX and 
peripheral bus read back MUX. 

Tb_regs, 86 Holds the Miscellaneous control register, 
lYansmil channel control register, Upstream and down- 
stream control, Channel 11 interrupts and the peripheral 
bus interface. 

Tt, 87 synchronization system. Contains entire synchro- 
nization system functionality described hereafter plus 2 
32 by 8 dual port SRAMs used for capture registers. 
Interfaces to and peripheral bus through Tb_regs. 
Operates fi^m the MPC860 50 Mhz clock divided by 2. 

tb_misc, 88 Contains LED controls, expansion flash 
prom decode, MP 15 reset, lOP 17 reset, MP 15 
watchdog timer and lOP 17 watchdog timer. Operates 
from the 16 mhz-baud clock. 

tb_a4, 89 FPGA 77, also contains clock buffers, parity 
generator and I/O buffers 

FIGS. 11 A and IIB shows the interconnection of the main 
processor modules MP/IOP module I. FIGS. 11 A and 11 B 
illustrates an upstream MP 90 (U) transmitting a pulse 90/ 
(T) over path 90a (ud) to the downstream processor 92 (D) 
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where it is captured by downstream processor 92 at its 
downstream capture register 92) (dC); over path 90b to its TABLE 11 

upstream loop back capture register 90e (uL); along path 90c 
(mu) where it is cj^tured by the My processor 91 (M) 
capture register 91/t (uC) and over path 9Qd to its down- ^ 
stream loop back capture register 90g (dL). 

Similarly, the My processor 91 (M) is shown transmitting 
a pulse 91/(T) over path 91 (um) a to the upstream processor 
90 (U) where it is captured by downstream processor 90 at 
its downstream capture register 9Qj (dC); over path 91i» to its 



Leg nmnbei 


Lez Address encodias 

MPC860 Port Pin 




PB14 PB15 


PB16 


Leg A 


0 1 


1 


LegB 


1 0 


1 


UgC 


1 1 


0 


Bid Address 


All other valuci 





Upstream loop back capture register 91e (uL); along path 91c 
(md) to the downstream processor 92 (D) to capture renter ^^^^ ^^^^ ^^^^ 

92A (uQ and over path 9W to its downstream loop back ^^^^ ^^^^^ ^.^ ^^^^ ^5 j^p ^ 

ca^Uire register 91^ (dL). 15 connected to the same base-plate address plugs. 

Tlie downstream MP 92(D) IS shown transmitting a puke redundant leg or channel 13 of the system is 

92/(T) over path 92a (dm) to the next downstream processor mechanicaUy and electrically isolated from adjacent legs in 
91 (M) where it is captured by downstream processor 91 at ^ acceptable mechanical isolation, whidi is defined as at 
its downstream capture register 91] (dQ; over path 92* to its ^g^st equivalent 10 the trace-lo-trace spacing required to 
upstream loop back capture register 92c (uL); along path 92c 20 achieve 800 VDC electrical isolation. Other isolation tech- 
(du) to the upstream processor 90 (U) to capture register 9Qh niques such as opt-isolation at all leg-to-leg interfaces may 
(uQ and over path 92d to its downstream loop back capture be used as an alternative provided the preferred VDC is 
register 92^ (dL). achieved. 

In the event of an MP/IOP module 1 failure, the triad, via 
TABLE I 25 software control, is dissolved dynamically and the remain- 

ing two re-configured into a dual-master configuration. A hot 

Upstream and Pcwfnstreain relation replacement MP/IOP module 1 is dynamically "re- 

educated" by transferring re-education data including appli- 
cation program and data over the Channel 11 on insertion. 





US Oeg} 


DSCteg) 


A 


C 


B 


B 


A 


C 


C 


B 


A 
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ENCLOSURE AND MOUNTING 
Referring to FIG. 13, the MP/IOP modules 1, UO 2 



-nie lOP 17 which contains the IPX IT provides the modules. LCM 3 modules are each housed in a separate 
following serial communjcatigps interfaces: an UO Bus, a 35 configurable enclosure or housing 29 which receives the 

Diagn^c-Channel. aSRSiai Debug port, a BDM port^ a circuit boards which comprise Ae different moduks.^ 

Q/v>^i irm — -r c.i! 1 ' — i MU 11 u...- uui g< Same forffl of housing 29 may be used for each module by 

8023 lOBaseT ahernet expansion UF i /^ A^A8S J plate information for the particular 

cx ^ion lOP 1-; bus , ad Channel lor commumcations ^^^^^ ^0 and the base 21 of the housing 29 are 

with the icmpcratyre sensor. _ Pjq ^3 ^^^j. and the base 21 are 

Each IPX 17' implcrn ents the complete logic for one of ^ p^vided with a thermal conductive pad or medium 36 

the. thr<^ legs (A , R oiTIprcm QiCimi^i^^ ^luch is electrically non-conductive. A suitable medium 36 

IPX 17' lees through two mechanisms : a synchronization purpose is a GAP PAD™ 1500 which is a 

si gnal and data messages through a smaJ^ ^HDL C diagnosti c conformable thermally conductive material for filling air 

biw. - gaps. The GAP PAD™ 1500 medium 36 used in this 

"^e lOX 17' internal execution architecture is based on invention is obtainable from the Bergquist Company at 5300 

deterministic, fixed duration "I/O scans". The lOX 17' Edina Industrial Boulevard, Minneapolis, N.Mex. 55439 

design allows for any predefined scan duration, but is set to and the Bergquist Company has been granted patents 00 

use a 1 millisecond scan time. During each I/O scan, such materials as is shown in U.S. Pat. No. 5,679,457 which 

execution proceeds in two modes: foreground and back- is incorporated herein by reference, 

ground. The thermally conductive medium 36 is applied to the 

The foreground mode is implemented as an interrupt inner surfaces of the housing 29, which preferably includes 

service routine, which takes up most of the I/O scan dura- at least the two major surfaces. As illustrated, four surfaces 

tions. An internal MPC860 timer interrupt is used to switch are covered. Where increased thermal conductivity is 
the CPU to foreground mode. This I/O scan intcmipt is 55 desired all or any portion of the internal surfaces may be 

synchronized by software with upstream and downstream covered by medium 36. Each functionally specific module 

IPX sections 17', eirsuring that foreground execution on all uses the same general circuit board for providing redundant 

three legs starts within a maximum of 2 fiscc of each other. power. The character or the functbnality of the particular 

Following these tasks, the CPU reverts to the background module is determined by the module board for the various 
mode, which implements the synchronizing IPX 17' system 60 modules, as previously described, that is the electronic 

time with the SX 15" system lime informing SX 15' that IPX circuit board which implements the MP/IOP module I, LCM 

17' is still operational processing control messages that SX module 3 or the various types of UO modules 2 . FIG. 14 and 

15' may have placed in the shared memory, and processing FIG. 15 show the block diagram for the power board 4 and 

input from, and output to, the debug port. the MP/IOP module 1 for example. 

A diagnostic channel provides a communications link 65 Referring again to FIG. 13, the molded cover 20 of the 

between the lOP legs. The MP 15 and IPP 's section 17 leg bousing 29 inchidcs a planar cover mounting surface 38 for 

addresses arc read through MPC860 parallel port pins. receiving the thermal conductive medium 36, and a face 
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plate 39 mounted generally at right angles to the mounting 
surface 38. The face plate 39 is provided with a scries of 
LED conduits 40 that may be filled with fiber optic tubes or 
plastic inserts, or other light transmissive medium or a cover 
for permitting light firom LED's 41 which arc mounted on 5 
the module circuit boards 54 to pass from the circuit board 
to the surface of the faceplate 39 for viewing. While holes 
may be left open in the cover 20 face plate 39, dust and 
debris firom the industrial environment may contaminate the 
circuitry. Accordingly, these conduits are preferably filled to 
seal the housing 29. The extruded cover 20 of the housing 29 
has a plurality of thermal dissipating fins 61 on an outer 
surface 38a. The face plate 39 also has a hole 74a for 
receiving a jack screw 50. 

The base 21 of the bousing 29 includes a planar base jj 
mounting surface 43 and a base 44 which has a plurality of 
connector holes 45 and grounding pin holes 46 for electrical 
connectors to a base plate 49. The grounding pins 41a and 
476 are elongated as shown in FIG. 16 so that when the 
housing 29 is mounted to the base plate 49, the grounding ^ 
pins 47 engage prior to engagement of the electrical con- 
nectors 48. This permits the housing 29 to be grounded 
before the power is applied to the module through engage- 
ment with the connectors 48. Hic base 21 further includes 



positions for the LED's 41 fiar all configurations of LED's 
for each type of module. The Mylar cover 42 covers those 
conduits 40 not used for the particular functionality 
intended. 

The major elements of the control system include field 
replaceable modules housed in the protective metal housi n g 
50. TTicse modules include a Main Processor Module (MP 
15), I/O Modules including a Digital Input Module (DI), a 
Digital Output Module (DO) a Relay Output Module (DI), 
an Analog Input Module (AI) an Analog Output Module and 
Extender Module (EM) and such other modules as may be 
necessary or appropriate. 

Each of these modules is filly enclosed to ensure that no 
components or circuits are exposed even when the module 
is removed from the baseplate. Offset baseplate connectors 
make it impossible to plug a module in to the baseplate 
connectors in the incorrect position. In addition, keys on 
each module prevent the insertion of modules into the 
incorrect slots. 

FIGS. 18A, 18B, 18C, 18D and 18F shows typical 
MYLAR cover 42 for the face plate for the housing 29 for 
each of the various modules with indicia for functions 
identification and openings 95 aligned with the LEDs 41 of 



. , . -n, . - ■ . L L • -lA the specific functionality board and with opaque areas 

opposmg sides 59a and 59b which enclose the housmg 29 ^ ^^^^^^^ ^ indicators used 

when the same is assembled with the cover 20. The base is ° ' 

also provided with thermal dissipating base fins 60 mounted 
on the outer surface 43a of the base mounting surface 43. In 



addition, grounding pin placement only permits one-way 
insertion. 

To allow the MP/IOP module 1 hardware to fit into t he 
s j^tem packaging, the MP/lOP module 1 design is separat ed 
into two printed cjr c uit board as scmbUe s as shown in H G. 
16. These arc the functionality board 51 for the particular 



for the MP/IOP module 1 are shown in the following T^le 
III, although other indicators may be used as required. Many 
of these same indicators may be used in other modules. 
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TABLE m 



MP/IOP indicators 



which are mounted m the system package in the t°rm * 
sandwich. A 50 pin connector connects the two P CMs at one 
end. ~ ' 

A s shown in FIG. 16. the power board 56 an d the 
functionaHt y hoard 57 art- carh ^li zed to fit into the hou sing 40 
2 irand are connectedin the form of a circuit board sandw ich 
3 7 with all of the inter board connectors M at one end. A lso 
shown in the schematic of the circut^jjioard sandwich 37 the 
d ata signals 54 are input and o ut put at one end and visu al 
si gnais 55 generated by LED's 41 or any other source of 45 
li ^ are output at the at the other. Ihe power board's^ an d 
tl ie^functionality board 57 are electrically connected at the 
e nd near the firont of the housing 29 and all of the electri cal 
conoecUons are dispos ed at the rear of th e housinp 29~a nd 
ar c cxicmaliy' accessible. 1 he board sandwic h 37 may be so 
mounted inside the bousing in any conventional manner 
prflvtaed that heat generated by the circuit boards is'tran s- 
n ritfed out ot the iioii si ng. ITi ejticrm aliy conctuctive m edium 
sh ould therefore be in~contact with 'lbe circuit board and the 
in ner sunaccs ot the housing. As sfiSwflin'FIGrlSr the b ase 55 
21 includes mountingpads 71 tor tasten i ng the pow crcirc uit 
b oard ^6 i nside the housmg which are disposed'in the center 
at the loui' comet^ of the piimiir mouuliinJ sm fAmsrXnly 
th ree ot the mountmg 71 are VTSiblc. It ^uld be no ted 
th at other thermal ccmtrol mechanisnr; f?uch as coolant tube s 60 
a nd the like may also be used for beat dissipation w i^ the 
housing 29. - 

As shown in FlGri7, the cover 20 face plate 39 is also 
provided with a flexible Mylar cover 42 which is retained in 
opposing slots 58a and 58b on the front of the base and are 65 
used to identify the type of module (i.e. its function). In this 
respect, the conduits 40 are made to accommodate all of the 



Front Panel 
ladicatoTs Status 
PUnctioD 


LED Indicator 


Color 


Power 
up state 


Controlled 
By 


Module 


Pau 


Green 


Off 


Not Fault 


Status 


Fault 


Red 


On 


MP|rop 




Acdve 


Green 


Off 


MP 


Mode 


Run Mode 


Green 


On 


MP 




Remote Mode 


Oiccn 


On 


MP 




ProgiBjo Mode 


Yellow 


On 


MP 




Stop Mode 


Yellow 


On 


MP 


Alarms 


Field Power 


Red 


On 


MP 




System Power 


Red 


On 


MP 




System Alann 


Red 


On 


MP 




Progrun Al&nn 


Bhie 


On 


MP 




Over TVmperature 


Red 


Off 


MP 




Lock 


Red 


On/Off 


MP 


Communicatioiu 


TX/RX Reserved 


Green/OreeQ 


Off 


Hw 


Status 


TX/RXIO bus 


GrccnA^iecQ 


Off 


Hw 




TX/RXCOMM 


Grecn/Grten 


Off 


Hw 




Bus 










TX/RX Modbua 


Orccn/GrccQ 


Off 


Hw 




UNK/rX/RX 


Green/ 


Off 


Hw 




Development 


Green/ 








Network 


Green 







Qw - Hardware ciicuiL 

Note 1 MP or lOP , not both, under firmware control. 

The module status indicators display the operational sta- 
tus on the MP/IOP 1 module. lOP 17 status is passed to the 
MP 15 via the shared memory interface. 
Pass— Indicates that both MP 15 and lOP 17 sections have 
passes all diagnostics. PASS is the inverse of FAULT, 
and can be read 00 both MPC860S PAS. PASS is active 
low. No user action required. 
Fault — Indicates a fault was detected on the MP 15 or lOP 
17 sections. The user is expect to replace the module. 
The fault indicator is forced ON by a MP/IOP module 
1 "hard" reset, or MP 15 or 10 P 17 watchdog timer 
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20 



10 



15 



20 



25 



Module CaminiimcatioQs Indicatois 

CommunicaUons indicators are provided to aide the user/ ' 
installer in trouble shooting cable installatian prc^lcms. 

Reserved TX/RX— Radics when an expansion lOP 17 is 

oommunicating over the RS485 lOP bus. 
10 Bus TX/RX — Flashes when (he lOP 17 is communi- 
cating on the UO bus. 
COMM Bus TX/RX — Flashes when the MP 15 is com- 
municating to cither LCM. 
Modbus TX/RX — Rashes when the MP 15 is communi- 
cating on it's local RS232/RS485 Modbus port 
Development Unk — Indicates the MPs 15 lOBaseT 
twisted pair receiver has established a hardware con- 
nection over RX+ and RX- signals with the Ethernet 
hub. Note: Hie hub should also contain a Link UEO to 
indicate a hardware connection has been established 
with the MPs TX+ and TX- twisted pair signals. 

Development TX/RX — ^Flashes when the MP IS is com- 
municating on il*s 802.3 lOBaseT Development net- 
work. Flashes when the MP 15 is communicating on 
it's 802.3 TriLan port or when the LRXM or expansion 
lOP is communication over it's 802.3 fiber optic port. 
The table FV below lists the conditions represented by the 
top indicators on the DI front panel, FIG. 18B, and provides 
a description and a recommended action for each condition. 



time-out or the FAULT port bit PAll on the MP or lOP 

MPC860. The FAULT bit is active high. The FAULT bit 

is pulkd up via a 10 k resistor, so that it defaults to the 

faulted state. Note: If the fault is detected in a non 

critical portion on the MP, such as the Debug port or 

Rash prom, or the MP has re-educated too many times 

due to transient faults, it is permitted for the MP 15 to 

continue running is the Fault — Active state. See SX 

fault handhng. 
Active — Indicates the MP 15 is nmning the application 

program. The MP 15 flashes Active LED once for each 

application program scan executed. SX firmware shall 

control the ON duty cycle to ensure the LED is visible, 

even for very fast application programs. The ACTIVE 

LED is driven from MPC860 port bit PAIO, active 

high. 
Mode Indicators 
Run Mode — Indicates the System of the present invention 

is in "Run" mode. Run is driven from the Oiannel 11/ 

synchronization system FPGA 77, sec MCR register. 

The led defaults to ON during hardware reset. 
Remote Mode — Indicates the System of the present 

invention is in "Remote" mode. Remote is driven from 

the Channel 11/ synchronization system FPGA 77. The 

led defaults to ON during hardware reset. 
Program Mode — Indicates the System of the present 

invention is in "Program" mode. Program is driven 

from the Channel 11/ synchronization system FPGA 

77. The led defaults to ON during hardware reset. 
Stop Mode— Indicates the System of the present inven- ^ An X represents a neutral indicator. 

tioo is in "Stop" mode. Stop is driven from the Channel 

11/ synchronization system FPGA 77. The led defaults TABLE IV 

to ON during hardware reset 
System Status Indicators 

Field Power — Indicates that a 24v fieU power input on 

one or more I/O module is missing. If the field power 

alann is on, the system alarm is illuminated by SX 17'. 

Development or Trilog must be queried by the user to 

determine the actual module(s) reporting the alarm 

condition. FP_ALRM is active high on PB29. 
System Power — vindicates that there is a 24V logic power 

input missing on one or more MP, I/O or CM module. 

Development or Trilog must be queried by the user to 
' determine the actual module(s) reporting the alarm 

condition. If the bgic power alarm is on, the system 

alarm is illuminated by SX 17'. SP_^ALRM is active 

high on PB28. 
System Alarm — Indicates that a fault or error condition is 

present in the System of the present invention. Devel- jq off On 

opment or Trilog must be queried by the user to 

determine the actual module(s) reporting the alarm 

condition. System alarm is driven by the MP port bit 

PA9. System alarm is active high and pulled up. 
Program Alarm — Is driven by the application program to 55 

indicate an alarm condition detected by the apphcation 

program, typically bypassed points. Program alarm is 

driven by the MP 15 port bit PD5. System alarm is 

active high and pulled up. 
Over Temp. — ^Indicates an MPC860 junction over tem- 
perature. Over temp is driven directly from the tem- 
perature monitor IC. SX 17' programs the trip tempera- 
ture via the PC channel. 
Lock — Indicates the module is not locked into its base- 
plate. The unlock status bit is readable on both 6S 

MPC860's port bit PC9. Unlock is active high and 

pulled up. 



35 



Tbp Indicator Conditiom 
Pasi Fault Active Lode Ctescqption Action 



On Off Oa 
On Off Off 



Off 
Off 



40 



45 



Off 



Module u operating No action is 
oormally. required. 
Possible conditions: 

Application piogiam If module is the bat 
has not been loaded cpaie, no action ii 
into the MP. required. 
Applialion piognm If module is active, 
hai been loaded in- replace module, 
to the MP, but has 
oot been started up. 
Module has just 
been installed and 
is cunenUy nmning 
ttait-up diagnostics. 
The other module is 
active. 

Possible conditions: 
Module may have 
failed. 



See mode indicator 
status for powcp-up 
states. 

If modnJe's PASS 
indicator, does not 
go on wiUiia Ave 
minutes, replace 
module. 

Module has detected Module is opera' 
afculL 



Module may be in 
the process of 
power-up self-test. 



X X 



On On 



Oa 



Module is imlodced 
from the basqihte. 
Indicaton/signal 
circuitry on the 
module are malfuiu:- 

tinning 



tional, but should be 
replaced 
Lock module. 

Replace module. 



The following tabic V lists the conditions that can be 
represented by the Fiekl Power indicator. 



05/27/2004, EAST Version: 1.4.1 



us 6,449,732 Bl 



21 



22 



TABLE V 



TABLE Vn 



Field PoweT ladicatoi ConditioM 



Powci/Load ladicatoL Condilioin 



E>owei Desctqitian 



Action 



Field 
Power 



Description 



Actioa 



Oa 



Fictd powci fhnn one or more lb isoktc the misting povrci 
of (he ledondxiit sources it comce, use the Development 



On 



Off 



missing. 



Field powei is operating 
Eonnally. 



System comptitet Diagnostic 
Panel 

Cociect the problem in the field 
circoiL 

If these steps do not solve ibe 
problem, replace module. 
So ftction is required. 



For al least one point, the lb isolate the suspected point, tise the 
oommanded state and the Developmenl System con^uter 



10 



measuicd state do not 
agree. 



15 



The following table VI lists the possible conditions that 
can be represented by a point indicator. 



Off 



AH load connections arc 
fuoctioiiing properly. 



Diagnostic Panel 
lb detennine the output point's 
oommanded state, tsc the Devdop- 
ment System con^mter ConUol Panel 
lb i^^frmif* the output's actual 
state, use a Vsltmetct, then roncd 
the problem tn the extemal cinaiiL 
If these steps do not solve the 
pn^lenv replace module. 
No action is required. 



TABLE VI 
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32 Point Indicator Oonditions 
Point (1-32) Descrqjtion 



The following table IX lists the possible conditions that 
can be represented by a point indicator. 



On 
Off 



Held drcuit is energized. 
Held dicuit is not energized. 
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TABLE IX 



The table VII below lists the conditions represented by the 
top indicators on the DO front panel (sec FIG. ISC) and 
provides a description and a recommended action for each 3Q 
condition- An X represents a neutral indicator. 



16 Point Indicator Cnnditions 
Point (1-16) Dcsdiptian 



On 
Off 



Field circuit is energized. 
Field circuit is not caeigized 



TABLE VII 



DO Front Panel 
Pass Fault Active Lock Description 



The table X below lists the conditions represented by the 
top indicators on the AI front panel (sec FIG. 18D) and 
35 provides a description and a recommended action for each 
conditioa An X represents a neutral indicator. 



ON 
On 



Off 

Off 



On 
Off 



Off 
Off 



Off On 



Off 



XXX 
On On X 



On 



Module is operating 
normally. 

Possible conditions: 
Application pTogiam 
has not been loaded 
into the MP. 
Application program 
has been loaded in- 
to (1» MP, but has 
not been started up. 
Module has just 
been installed and 
is currently rtuining 
stait-up diagnostics. 
The other module is 
active^ 

Possible conditions: 
Module may have 
failed. 

Module may be in 
the process of 
power-up self-test. 



Module has detected 
a fault 

Module is unlodted 
Crom the baseplate. 
Indies ton/signal 
dicuitry on the 
module are malfunc- 
tioning 



No act ten is 
required. 

If module is the hot 
spare, no action is 
required. 

If module is active, 
replace module. 



TABLE X 
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Al Ibo Indicator Conditions 
Fault Active Lode Description Action 



45 



50 



Pass 

On 
On 



Off On 



Off Off 



Off 



Off 



See mode indicator 
status for power-up 
states. 

[f module's PASS 
indicBtor, does not 
go on within five 
Qitnutes, replace 
module. 

Module is cpcn- 
tional, but should be 
replaced 
Lock module. 

Replace module. 



55 



Off On 



Off 



60 



The following table Vni lists the conditions that can be 
represented by the Power/Load indicator. 



65 X 



On 



Module is qicntiog 
normally. 

Possible conditions: 
Application program 
has not been loaded 
into the MP. 
Application program 
has been loaded into 
the MP, but has DDt 
been started up. 
Module has jtut 
been installed and 
IS currently ninning 
start-up diagnostics. 
The other module is 
active. 

Possible condUions: 
Module nuy have 
fafled. 

Module may be in 
the pTocea of 
power-up self -test. 



Module has detected 
a fault 

Module is unlocked 
from ihs baseplate. 



No action is 
required. 

If module is the hot 
spare, no action is 
required. 

If module is active, 
replace module. 



See mode indicator 
status for power-up 
slates. 

If module's PASS 
indicator does not 
go on within five 
minutes, replace 
module. 

Module is opera- 
tional, but 
shonki be replaced 
Lock module. 
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TABLE X-conlinued 



TABLE xn-oonUnued 



AI Tbp [ndkatoT Cbnditiom 



Pus Faull Active Lode Descr^tioa 



Actum 



Psss Fsult Active Lode Desoqition 



Actios 



On On X X IndiotonAigmil Repbcc module, 

dicuiiny on ihc 
module are mal- 
ftmctiomng 



5 On On X X Indieatois/Bigijal Rqilace module. 

diaiLtiy oa the 
modulo no mtlfanc- 

10 The following tabic XIII lists the possible cooditions that 
can be represented by a point indicator. 



TABLE Xin 



The following table XI lists the conditions that can be 
represented by the Field Power indicator. 



Point (1-32) 



Dcacnpdon 



On 
Off 



Field cticuit u energized 
Field cticuit is not cneigized. 



TABLE XI 



Field Power Indicator Conditions 



Tield 

Power Desci^tion 



On Field power from one lb isolate the misting power toorcc, 
or more of the redundant use Ihc Etevelopmenl S>*stem 
sources is misdng. computei Diagnostic Panel. 

lb determine the output's actual 
state, use a \bltineter, tben correct 
the problem in the eztemal drcuiL 
If these steps do not solve the 
problem, iqilace module 
Off Held power is operating No action is required, 
normally. 



The table XII below lists the conditions represented by the 
top indicators on the Relay Output RO front panel (see 
Figure E) and provides a description and a recommended 
action for each condition. An X represents a neutral indica- 
tor. 



TABLE XII • 



Past Fault Active Lock Description 



Action 



On Off On 
On Off Off 



Off 



Off 



Off On 



Module is opetatisg 
normally. 

Possible conditions: 
Application program 
has not been leaded 
into the MP. 
Application program 
has been loaded into 
the MP, but has not 
been ctaxted up. 
Module hsia just 
been installed and 
is currently luiming 
stait-up diagnostics. 
The oUiei module is 
active. 

Off Possible conditions: 
Module may have 
failed. 

Module may be in 
the process of 
power-up self-test. 



Module has detected 
a fault 



So aaion is 
required. 

[f module is the hot 
spire, no action is 
required. 

[f module is active, 
replace module. 



On 



Module is tmlodced 
from the bas^laie. 



See mode indicator 
status for power-up 
states. 

[f module's PASS 
indicator does not 
go on within five 
mtmitcs, replace 
modnle. 

Module is opera- 
tional, but should 
be replaced 
Lock module. 



I ndicators for other input/output modules are similarl y 

20 confi gured as necessaryT] 

FIG. 17 shows the man n er in which the cover 20 intcr- 
cnnnecls with the base. Ite co ver 20 Inchides~rTDVer 
inT^rinHf fil ^xrhifh vn ^{cs w^t h^gwf rK>OOnding^base 21 
mtfrlf jrff fift The cover and tfieTase 21 aTe~lhen s crewed 

25 tn£g t , her -aftpr j psertjon of the circu it board sandwi^ 7 
sh gwn in FTfl- 16 and the thermal cond uctive m aterial'inside 
the housing utilizing screws 73 in cover scr ew fiolteltPa and 
and base sctcw holes /Oa and'TOA as sliown in FIG. 13. 
Although any fastening method may be used. 

30 Alignment of the housing 29 on insertion can be difficult. 
Accordingly the single jack screw 50 as shown in FIG. 13 
is utilized which has a screw thread 51 at one end for 
engaging the base plate 49 for mounting. The single jadt 
screw 50 is centered in the bousing 29 and is mounted 

35 through the jack screw hole 74. The use of a single jack 
sctew SO seaU the module upon entry and unseats the 
module on exit, that is, on engagement and disengagement 
firom the connectors. A snap ring 52 is attached to one end 
of the jack screw SO and engages an annular recess 62 on the 

40 jack screw 50 to hold the jack screw 50 in position within the 
housing at the base 44, a handle 53 holds the jack screw in 
place at the face plate 39. This permits the jack screw SO to 
pull the module out of its connectors on unscrewing the jade 
screw 50 whidi remains mounted to the housing 29. The 

45 handle 53 of the jack screw 50 pulls the housing 29 into its 
seat on screwing in of the jack screw 50. This configuration 
allows case of insertion and removal of the housing 29, and 
provides a safety factor in that the housing 29 is first 
grounded on moimting prior to power being applied. 

50 The jack screw 50 has an LED detector notch 63 therein 
which allows the beam from a detector LED, which may be 
moimted on either circuit board in the housing, but prefer- 
ably on the power board 56, such that the light beam from 
the LED is to be intercepted when the jack screw 50 is filly 

55 seated. If the jack screw 50 is not filly seated, the LED beam 
is interrupted and the system determines that the module is 
not filly or properly seated. 

When "removed status" is detected, the SX 15 evaluates 
the application program and if the retentive data is invalid, 

60 re-education (reload) from another MP 15 with a valid 
application program occurs. If no other MP 15 has a valid 
application program, the SX 15' wails in the Stop mode for 
a new application program to be loaded, the MP 15 is 
commanded to the Program Run or Remote state, and 

65 commanded to download and nm. 

The "Module Lock Detector" indicates the MP/IOP mod- 
ulc is scaled and locked into its basc-plate 6Sa as shown in 
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FIGS. SA and SB. This sUtus is readable by both MPC860s 
and reflected in the module status message. The Lock 
detector is implemented using a reflective type oplo- 
intemipter now shown which detects the position of the slot 
on the jack screw 50. The locked state is indicated by the 
opto-intemipter in the ON (low -conducting) state, i.e. the 
opto-intcmuptcr signal is blocked by the jack screw 50. The 
opto-iutcmiptcr is diagnosable under firmware control 
which allows at least 1 ms for the opto-interrupter to change 
slate. The UNLOCK led is forced off in hardware by a lock 
detector diagnostic bit. 

Hot-insertion of the MP/IOP 1 or any other modules into 
the base-plate is provided using the detectable keyed inser- 
tion jack screw 50 to insure proper installation orientation 
and correct module type. 

Each housing 29 is mounted on a basc-platc 65 as 
discussed before as shown in FIGS. 5A and 5B. Each base 
plate 65 may support more than one module. The base plates 
65 are mounted to rails 66 and multiple base plates 65 may 
be mounted in a single system. FIGS. 5A and 5B show 
mounting for both a minimum system and a large system. 

FIGS. 19A and 19B illustrate the mounting of the base- 
plate for the main processor module MP/IOP module 1 
showing its baseplate 65fl mounted to the rail and its 25 
interconnections. FIGS. 20A and 20B illustrate the mount- 
ing of the Digital In module showing its baseplate 6Sb 
mounted to the rail and its interconiiections. FIGS. 2L\and 
21B illustrate the mounting for the Digital Out modidc 
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TABLE XlV-continued 



MP/lOP BaxfrPtatt! Reqitiiemectt Connectoi ReqtrircmenU 



Qty Coanector 



Ptmction 



12 Extended Pin 



FE and PE (Logic ud Chassis 
groond) 



10 



15 



20 



The base -plate contains 3 address plugs (one multi-part 
address plug connector), one per leg. Base -plate Address 
plugs are visible with modules and cables installed. The 
Node address is set via the Address plugs on the MP/IOP 
base-plate. MP/LIOC address plugs are readable by both MP 
15 and lOP 17 CPUs. The same Address phigs are used by 
the expansion lOP 17 to define the "Siring number" to 
support multiple lOP s+I/0 module strings from a TMR 
MP/UOC. 

SYNCHRONlZAnON SYSTEM 
SYNCHRONIZED TIMING ADJUSTMENT 

A synchronization system subsystem (TMR Time) is the 
basis for MP 15 scan synchronization and rendezvous. The 
subsystem consists of integrated hardware and firmware 
components, which allows the MPs 15 to be loosely coupled 
in hardware, i.e. run independent of scan, and still maintain 
very tight leg-to-leg synchronization, i.e., from scan to 
scan+/-50us. Tight synchronization is required to minimize 



the amount of time that the MP/IOP modules 1 wait to 

^ovr^g 'ii basc'plate 65c"m^ntcd to'the rail and its 30 synchronize a Channel 11 rendezvous. Leg-to-leg (channel 



interconnections. FIGS. 22A and 22B illustrate the mount 
ing for the Analog In showing its baseplate 6Sd moimted to 
the rail and its interconnections. FIGS. 23A and 23B illus- 
trate the mounting for the Relay module showing its base- 
plate 65e mounted to the rail and its interconnections. 

Rail 64 mounted basc-platc asscmbUcs permit stacking of 
several modules as shown in FIGS. 5A and 5B. Each module 
is housed in a unique bousing 29 as described above which 
provides extended make-first/break-last safety and signal 
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to channel) isolation is designed to protection against ground 
shorts or neighboring legs at 36 volts without causing 
permanent damage or effecting the operation of the leg. 

Each MP/IOP module 1 rendezvous using synchroniza- 
tion system based upon each MPs 15 own internal time base, 
not a common external event or clock, synchronization 
system is used to implement Channel 11 Synchronization 
Rendezvous, Leg time synchronization 
With reference to FIG. 24 registers arc used for time 



ground pins 47. Also, a safety ground connection to the rail 40 synchronization in an FPGA 77. A 24 bit Timer register 96 



is supplied by the base- plate assembly. 

Redundant 24 VDC power supplies are provided to pro- 
vide a back up in the case of power supply failure. In the 
preferred embodiment, the MP/IOP I is based on the 
Motorola QUICC microprocessor, the MPC860, as noted 
above, and includes support for at least 32M bytes of 
application memory (DRAM). Error detection via parity, 
background diagnostic, and voting, correction via leg 
re-education are also provided as is hereinafter described. 

TABLE XIV 

MPflOP Base-Plate ReoTiiTeineiits Connectoi Requirements 



Qty Connector 



Function 



1 6 pin 'nnntnal block 



4 {nn T^imi&al block 
Fuse holders 
AddieM Plug 
DB9p 
DB9p 

96 pin DIN 

96 pin DIN 
Shielded RJ45 
RJ12 

96 pin DIN 
4fi pin DIN - E 



VSPl, VSP2 24v logic power and 
PE 

Rcdondant Alarms 

VSPl, VSP2 and Redundant Alums 

Nods Address 

R5232/K54S5 Modbus 

Reserved - not titstslled 

IO/IjCM Module power and LIO 

bus 

LCM Left & Right 
802.3 lOBaseT connector 
I>ebug • Diag Read port 
ControUei board 
Power Inter&ce hoitd 



counts 1^ ticks based the MPC860 50 MHz 25 ppm clock 
51. The SX 15' may read the Tuner register 96 at any lime 
to obtain relative time. The SX 15' uses relative time of the 
midpoint processor to determine when to perform its next 
45 Channel 11 rendezvous for voting based on a programmed 
delta time parameter. For MP-to-MP time synchronization, 
a Tune compare register 98 generates a synchronization 
pulse which is applied to the up and downstream MP 15 
sections through amplifiers 54 and 55 respectively when the 
50 Timer register 96 matches the Time register 97 in the FPGA 
The SX 15' calculates and loads the Time register 97. Four 
capture registers, two registers 99 and 100 for upstream and 
downstream captured the timer register, and two registers 
103 and 104 for attenuated loop-back capture are readable 
55 by SX 15'. The capture registers capture the value of the 
Timer register when a synchronization pulse is received. The 
SX 15' uses the delta between the capture registers and its 
own time to make small adjustments to its Timer register 96 
time base and to detect faults. 
60 The synchronization system hardware is optimized to 
minimize the real lime (instantaneous) work required by SX 
15'. Synchronization system servicing docs not require 
MPC860 interrupts. Synchronization system is implemented 
in a FPGA 77 which is accessible by the SX 15'. 
65 An adjustment trim register 99 is provide to compensate 
for time base crystal oscillator drift The adjustment trim 
register 99 adjusts the time base by dropping or adding 40 
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Ns to the time base clack. 1 us dock every M us based on 
adjtistment counter 63, where M is programmable from 
40.96 us to 0.66666496 seconds in 40.96 us increments. 

The synchronization system architecture is scaleable to 
include at least one additional register not shown, to provide 
for a Hot spared MP/IOP module 1 

The synchronization system time synchronization accu- 
racy is selected to minimize Channel 11 rendezvous window 
to provide synchronization resolution required for 1 ms 
sequence of events timing, and to provide time base fault 
detection and isolation between MP-15 legs. 

The synchronization system does not drift more that 
+/-50 us over a 1 second period. To provide a lOx mai^, 
the minimum synchronization system accuracy is +/-50 
us/lOs or +/-5 ppm. The synchronization system timer base 
is accurate to +/-25 ppm (drift +/-25 us per second), 
therefore the SX 15* trims (adjust) this time base 105 to 
provide the required accuracy between MPs 15. 

The synchronization system and the SX 15' synchronizes 
the MP 15 to an accuracy of +/-50 us. This sets the normal 
Channel 11 rendezvous window to 100 us. The time base 
105 is derived from the MP 15 MPC860 50 Mhz 25 ppm 
crystal osciEalor, divided by 4 for time base adjustments, 



10 



15 



20 



(B) synchronization pulse, MY (A) captures its clock 111c at 
510 Oq receipt of the upstream MY (C) synchronization 
pulse, MY (A) captures its clock 111b at 530. 

On receipt of the upstream MY (A) synchronization pulse, 
MY (B) captures its clock U2b at 90. MY (B) caphires its 
clock 112fl at 100 on generation of its synchronization pulse. 
On receipt of the downstream MY (C) synchronization 
pulse, MY (B) capnires its clock at 112c at 120 

On receipt of the upstream MY(B) synchronization pulse, 
MY (C) captures its cbck 113b at 970. MY (Q capnires its 
dock 113a at 1000 on generation of its synchronization 
pdse. On receipt of the downstream MY (A) synchroniza- 
tion pulse, MY (C) captores its dock 113c at 970. 

By examining the capture times each processor deter- 
mines wliidi processor was midpoint. That is in between the 
piilses of the other processors. Accordingly, (A) picks a 
count of 510 which adds 10 us to its clock and (C) picks a 
count of 980 which subtracts 20 us from its clock thereby 
synchronizing the processors. 

The synchronization system Timer register 96 includes 
STOP and CLEAR controls. SX 15' polls for synchroniza- 
tion pulses from the other MP modules 1 (if any) before 
generating an external synchronization pulse (T). 



and divided by 12.5 (12 then 13 then 12. . . ) for the Timer ^ Alternatively, the SX 15' may clear and stop the Timer 

register 97. Given an accuracy of +/-50 us, the time reso- register 96 and wait for a synduonization pulse. On receipt 

lution of the synchronization system timer and capture of the synduonization pulse, the SX 15' uses the adjust 

registers is approximately an order of magnitude better, or: rcgistcis to acquire synchronization. The foltowing steps 

+/-5 u. Assuming the longest S3fstem scan is 500 ms, the occur in each scan time sequence, 

timer should roll twice per scan so that SX can delect ^ tO, step 601 

-■ II t >.'>«ar u.'tc In 



register roll-over and maintain the high order timer bits in 
system, memory, therefor the timer must not roll twice per 
scan. 500 m^l us<2" or 19 bits. In addition, to permit the 
timer to be diagnosed, the timer should roll over at least once 
per 10 minutes (diagnose lime reqtiiremem). 600^^ us>2^' 
or 29 bits. A timer length of 24 bits satisfies both require- 
ments and minimizes FPGA 77 hardware. Roll over occurs 
every 16.77721594 seconds. Capture registers and Time 
registers are 24 bits and the timer roll flag sets when the 
timer rolls over to zero. 

Referring to FIG. 24 the synchronization system F?GATJ 
includes all of the synchronization system registers which 
are memory mapped and includes a method illustrated in 
FIG. 25 for adjustment of each MP's synchronization sys- 
tem timer time base. This is important since the MP 15 time 45 
synchronization pulses may arrive at any time relative to an 
MP's timer's value. The timer FPGA 77 method generates a 
pulse when the Timer register 96 matches the Time register 
97. The capture registers latch the contents of the Timer 
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(double synchronized to the time base cbck/2 and latched 50 g)ep 604 



1) SX 15' reads the synchronization system capture reg- 
isters and loop-back status. 

2) SX 15* checks for roll over and increment, the high 
order time bits kept in memory. 

3) SX 15' selects an MP leg (mid-point) to be used for trim 
calculations. 

4) SX calculates a real time value for the next synchro- 
nization pulse and load time into synchronization sys- 
tem Time register. 

tl-t3, step 602 
The synchronization system capture registers 99, 100, 
101, 102, 103 and 104 capture the synchronization 
system timer register 96 value to the nearest 1 us when 
an extcmal synchronization pulse is received. Previous 
values are over-written. 

t2, step 603 

synchronization system generates a synchronization pulse 
when the Timer register 96 matches the Timer 97. 



on the next microsecond) on the rising edge of each syn- 
chronization pulse. The Synchronization pulses arc at least 
3 us wdde to allow the MP-MPC860 time to poll for the 
presence of the pulses during power up diagnostics and SX 
15' startup. 55 

Referring to FIG. 25, the operation of the time synchro- 
nization is shown by way of example. Processor A initiates 
a synchronization pulse 108, processor B initiates a syn- 
chronization pulse 109 ten microseconds from the leading 
edge of the A pulse 108. Processor C initiates a synchroni- eo 
zation pulse 110 twenty microseconds from the leading edge 
of the B 109 pulse. Assuming, the clocks of each processor 
art running at a different count, e.g. A at 500, B at 100, C 
at 1000, the eadt processor would syndironize the clocks as 
follows: 

MY (A) captures its clock lllfl at 500 on generation of its 
synchronization pulse. On receipt of the downstream MY 



Rchirns to tO, for next scan. 

Note: t0-t4 are arbitrary time mariccrs use to illustrate the 
synchronization system sequence. 

The FPGA 77 contains and decodes the follovrtng regis- 
ters set forth in Table XV. 

TABLE XV 



Addr MSB 



/VddresB CS6 + 80 Hex Regjstei Pormat 
Register 



LSB 



QxSO Roll Slop TT_INT T rcgisut CTime) 24b - i/w 
0x84 Roll Slap TT_INT T ootmUr (Hiner) - Fico mnning 
24b -r/o 

0x88 Roll Slop TT_COF UptUeam loop-back capture 24b • r/o 
*S5 0x8C Roll Slop TT—OOF Oownatrcam loop-back capture 24b - i/o 
0x90 Roll Slop UP_COF LTpuream capture 24b - r/o 
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TABLE XV-continued 



AddTMS CSfi * so Htx Recirter Format 

Add! MSB Register L5B 

0x94 RoU Stop DN_COF Dcwcitream capture 24b - r/o 

0i98 Roll Stop 0 notnsed 

Ox9C Roll Stop 0 not used 

OxAO Adi Enable N Reg M Reg Cbntrol register - 16h • i/w 

0xA4 0 Status clear bits - 16b - w/o 



The T register (Tunc register) determines when the syn- 
chronization system Synchronization Pulse output signal 
(TTS is generated. The TTS pulse is generated for 3 us when 
the T register-T counter evaluates true. 

The T counter (Timer register) counts 1 us time base 
clocks. The T counter is firee ninning. The Roll bit indicates 
when the T counter has rolled past the 24 bit Capture and 
Time register boundary and the software of the MP 15 
accounts for this when capturing time. 

Referring again to FIG. 24 and Table XV, the upstream 
attenuated loop-back capture register 99 latches the value of 
the T counter 96 when the Upstream attenuated loop -back 
detects a output synchronization pulse (TTS). The T counter 
RoU and Stop bits are also captured. This register detects 
faults in the "MY to Upstream" Synchronization pulse driver 
and backplane pins. The upstream loop-back capture register 
99 is unknown until the first TTS pulse is detected. Roll and 
Slop indicate the state of the ROLL and stop flags when the 
capture occuned. Tr_CX3F (capture overflow) indicates 
that TT_JNT was already set when the capture occuned. 
The Tr_COF bit will not clear until the TTJNT bit is 
cleared and the next TSO capture occurs. 

A Downstream attenuated loop-back capture register 100 
latches the value of the T counter 96 when the Downstream 
attenuated loop -back detects a output synchronization pulse 
(TTS). The Tcounter 87 Roll and Stop bits are also captured. 
This register detects faults in the "MY to Downstream" 
Synchronization pulse driver and backplane pins. 

This Downstream Loop-back register 100 is unknown 
until the first TTS pulse is detected. Roll and stop indicate 
the state of the ROLL and stop flags when the capture 
occurred. TT_COF (capture overflow) indicates that 
TT_JNT was already set when the capture occurred. The 
TT_COF bit will not clear until the TT_JNT bit is cleared 
and the next TSO capture occurs. 

An Upstream capture register 103 latches the value of the 
T counter 96 vdien the Upstream Synchronization pulse is 
detected. The T counter Roll and Stop bits are also captured. 
The Upstream Capture register 103 is unknown until the first 
Upstream Synchronization pulse (T) is detected or until the 
UP__LBEN (Upstream loop-back enable) bit is set in the 
control register and a synchronization system Synchroniza- 
tion Pulse (TTS) is generated. Roll and stop indicate the 
state of the ROLL and stop flags when the capture occuned. 
UP_COF (capture overflow) indicates that UP_CF was 
already set when the capture occurred. The UP_COF bit 
will not clear until the UP_CF bit is cleared and the next 
UP_S capture occurs. (See TT control register) 

The Downstream capture register 104 latches the value of 
the T counter when the Downstream Synchronization pulse 
is detected. The T cotmter 96 Roll and Stop bits are also 
captured. The Downstream Capture register 104 is unknown 
until the first Downstream Synchronization pulse is detected 
or until the DN_LBEN (downstream loopiack enable) bit 
is set io the control register and a synchronization system 
SyochroDization Pulse is generated. Roll and stop indicate 
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the sUte of the ROLL and stop flags when the c^turc 
occurred. DN_COF (capture overflow) indicates that 
DN_CF was already set when the capture occurred. The 
DN_COF bit will not dear until the DN_CF bit is cleared 
5 and the next DN_S capture occurs. 

The control register 97 provides miscellaneous fimctiooal 
and diagnostic control of the synchronization system sub- 
system. 

10 CHANNEL DATA TRANSFER AND VOTING 

There are three MP/1 OP modules 1 in a preferred system 
of the present invention as noted above. As shown in FIGS. 
IDA and lOB the three MP/lOP modules communicate with 
each other via an inter-MP bus or channel. 11. The Channel 
U is a three channel parallel to serial/serial to parallel 
communications interface with a DMA controller, hardware 
loop-back fault detection, CRC checking and MP to MP 
electrical isolation is a high speed communication path 
between the three MPs 15 primarily used for voting. The 

^ three MPs 15a, 156 and 15c are time synchronized with each 
other by a synchronization system. 

In j)pcration as shown in FIG. 2 ea ch leg (Channel A, B . 
D of the system co atrollc r is control led b y a sep arate 

25 MP/lOP module 1. Each MP/lOP module 1 operate s in 
par allel with the other two MP/lOP modules 1, as a member 
b fa tnad. bach iGP'i? scans eacirn0"m^ille"2"instal l6d 
in the system ot the present invent ion via the RS485 2 Mb 
UP bus 13 at a predetennineHl i me interval (set by the 

30 i nitial programming). As each.i ptv^iile ^ ^capned . new mgu t 
data is transmitted by th e l6P 17 to MEJ5^ t he shafeB 
' memyf v mo dule locate d j>n the MP /IOP orinted^r cuit 
boards The SX 15' assembles the input datk and storesTBe 
input data in an input table in its memory 16 for application 

35 program evaluation. 

CHANNEL VOTING 

Prior to application program evaluation, the input table in 
memory 16 is compared with the input tables in memory 16 
^ on the other MPs 15 via the channel 11. 

The input data in each MP 15 is transfened to the other 
MP 15 modules in the system and "voted" by the SX 15' 
firmware. If a disagreement is discovered, the value found in 
two out of three tables prevails, and the third table is 
corrected accordingly. Each MP 15 maintains history data 
for corrections and faults. Any continuing disparity with the 
same leg, register or the like is recorded for future handling 
at a predetermined occasion by the SX 15' Fault Analyzer 
routines. 

The SX votes inputs before passing them to the applica- 
tion program to insure that the inputs arc correct Vating will 
be based on a majority vote on comparison and the default- 
ing MP/IOP module 1 data wiD be corrected. The SX 15' 
5j votes the inputs io accordance with the following Table XVI 
dependent on the number of MP/IOP module 1 processors in 
the system and whether the data is analog (a number) or 
discrete (on or ofi). 

TABLE XVI 



\bting Mode Comparison 

Opctaticg ^^I]^lber of Discrete Analog Inpol 

Mode Legs Enabled Vbting Wing 

65 TMR 3 2-out-of-3 Mid \Wuc 

Duplex 2 2-out-of-2 Avemge 



05/27/2004, EAST Version: 1.4.1 



us 6,449,732 Bl 



31 

TABLE XVI-contiiiued 
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Mode Coimnnton 




Opemting 


Numbei of 


Oisotte 


Analog Ispu 


Mode 


Legt Enabled 


Vbting 


\btiiig 


Single 


1 


1-om-oM 


l-om-oM 


Safe 


0 


De-eneigized 


NA 



Accordingly, when in IMR mode, Le. three processors 
enabled. Digital or Discrete voting is conducted on 2 cm of 
3 matching. For Analog voting the Midpoint value is 
selected. 

When in Duplex Mode, i.e. two processors enabled. 
Digital or Disocte voting is concluded on a 2 out of 2 
matching. For Analog voting the Average value is selected. 
For single processor voting the vahie presented is the value 
selected for either Discrete or Analog voting. 

After such comparison is made the selected value is 
restored to any table having different values. 

In addition to Input comparisons, the SX 15' will also 
compare the outputs every scan. It will be considered a 
safety fault, if a MP 15 output data does not compare with 
the other MP's ou^ut data in accordance with Tabk XVI. 
Internal variables will also be compared on a periodic basis 
as is predetennioed by the SX 15' code which can test every 
scan. The application program code will also be compared 
on a periodic basis as is predetermined by the SX 15' code 
which can also be every scan. Any comparison failure is 
considered a safety fault 

After the channel 11 transfer and input data voting has 
corrected the input values, the values arc evaluated by the 
application program. The Development developed applica- 
tion program is executed by the SX 15' in parallel on each 
MP 15 using an MPC860 microprocessor which is a suitable 35 
CPU for the MP 15. The application program generates a set 
of control system output values based upon the control 
system input values, according to the rules built in to the 
program by a Control Engineer for a particular installation. 



all discrepancies corrected where appropriate. Each MP 15 
is transferred a copy of the other's data to compare against 
and correct it's own copy as required over the channel 11. 
Along with the input data, portions of the MP 15 memory 
5 and hardware status shall transferred to the other MPs 15 via 
Channel 11 and compared by firmware. Discrepancies con- 
stitute a fault. 

Voting is performed by SX instructions. The Channel U 
10 is similar to a generic multi-diannel communications con- 
troller using buffer descriptors except that Channel 11 is 
optimized for TMR SX 15' operation and includes, real time 
fault detection and fault Location of most faults via attenu- 
ated transmit loop-backs, no single Channel 11 failure 
15 disables more than one MP 15, no physical Channel 11 
interface signal interfaces with more than one other MP 15. 
(Physical interfaces are point-to-point). 
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A typical chanoel 11 transfer used for votiog purposes 
consists of the following steps: 

Rendezvous (synchronization system) step 701 
Transferring of data to be voted (Channel 11) step 702 
Analyzing transfer results (SX), CRC, status, and the like, 
step 703 

Transferring 1st results data resulting from analyzing 
transfer results to other MP Modules 1 (Channel U) 
step 704 

Accumulating transfer results (SX), received from other 

MP Modules, step 705 
Transferring 2nd results data indicating voting mode to be 

taken(Channel 11) step 706 
Analyzing and Voting the data, step 707 

VOTING MODE SELECTION 
A combination of firmware algorithms (lookup table) and 



The MP 15 transmits (he output values to the lOP 17 via 40 Channel 11 attenuated loop-back information permits the 



shared memory 15 over interface 18. The MP 15 also votes 
the control system output values via channel. 11 to detect 
faults. The lOP 17 separates the output data corresponding 
to individual UO Modules 2 in the system. Output daU for 
each LiO module 2 is transmitted via the LiO bus 13 to the 
output modules. 

CHANNEL DATA TRANSFER 

At predetermined times each MP 15 rendezvous with the 
other active members of the triad via the synchronization 
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MPs 15 in the triad to detect, locate and contain any single 
leg Channel 11 faults to the faulted leg. In addition, ibc fault 
status information also allows the non -faulted MPs 15 in the 
triad to unanimously agree on the voting mechanism (TMR, 
Dual or Single). It is important that all MPs 15 vote using the 
same voting mode, since voting TMR will result in different 
(although correct) analog values V/S voting in Dual mode. 
To insure that all MPs participating in the vote arrive at the 
same voting mode in the presence of a Channel 11 fault, the 
following Channel 11 result accumulation tables is used. 



CLaimel 11 
Tniuia 



TABLE XVn 



Channel H tratufer accmmjlited resulte Uble 
Path fault infonnarum sccninuUted pei MP leg (Thie/Fabe Booleaa daU) 



AfWi OuLiniel 11 


Mum 


Mdm 


Mlmu 


Mlmd 










data tiBosfei 


















After Isl rtsuU 


Uom 


Udu 


Ohm 


Uhid 


I>md 


Dud 


Dldm 


Dhim 


tnnsfei 


















Aflei 2ai -recult 


Dtimu 


DUdu 


DUhiin 


Dulod 


IJDmd 


UDud 


UDldin 


UDldD 


tnnsfcr 



















system and compares and votes all application program . , , . , ^ • 1. 

input data. During this comparison the actual data is voted order for voting to accurately determme a result the 

a using a majority override mechanism as noted above and following rules are set regarding the Chaimcl 11 results: 
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Tnie-Data Transfer Worked, good CRC and good 

sequence number. 
False»Data Transfer failed/missing or bad CRC or bad 

sequence number. 
All transfers are "written". I£. One leg can not pretend to 

be another. 
Only one leg faulted at a time. 

A false value can not be made true by passing it through 
the bad leg. False values stay false. 

A true vahie may be made false (or stay true) by passing 
it through the bad leg. I.E. True values may go false 
when passed through the bad leg. 

A true vahie passed through a good leg stays true. 

Loop-back status always correctly detects the fault loca- 
tion. 

TABLE XVIII 

Path Faults 
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TVaosmit Fault 


Receive 


Path 


at: 


Fault aU 


mu 


M 


U 


md 


lA 


D 


um 


U 


M 


ud 


U 


D 


dm 


D 


M 


du 


D 


U 



TABLE XIX 



VaLe selection mode tiuth table 

RMmn & RMdm & (Ramn | RDUmu) & 
(RUdu I RDUdu) & (RDmd | UDmd) 
TMRvDte mPud I RUDud^ 



Path Fault 



Fault Vbter 

At: SolutiDQ Boolean Bquation 



SinRle leg faults fesuitinj; in Dual voting: DUALvole 

MvUD_fMmu M UD « IMROmu & IMDRUmu & 
(RMRUdutMDRUdu) & 
(MRDud|MURE)ud) & ITMmu 

MvMD__fUmu U MD <- RMdm &. IMRUmu & IMDRUmu & 
(MRDmdlMURDmd) & TMmu 

MvUD_JMmd M UD <- IMRDmd & tMURDmd ft 

(MRUdu|MDRUdn) & 
(MRDudlMURDnd) & ITMmd 

MvMU_fRDind D MU <- RMom & IMElDmd & IMORDmd & 
(MRUmulMDRUmu) & TMmd 

MvMD_aJum U MD <m IRMmn & RMdm & 

(MRDind[MURDnid) & IMTUom & 
IMDTUum 

MvUD_JMuin M UD IRMmn & (MRUdu[MDRUdu) & 
CMRDudlRMURDud) & 
(RfcfTUumlMDTUum) 

MvMD_fUod U MD <- RMdm & (MRDmdtMURDmd) & 

IMRDud & 

IRMURDud & IRMTOud A 
IMOTVud 

MvMU_£Dtid D MU <- RMmn & (MRUnmlMDRUaiu) & 
IMRDud St 

IMURDud & (MTUudjMDTUud) 
MvMU_fDdm D MU <- RMum & IRMdm &. 

CMRUmu|MDRUmu) & 
IMTDdm & IMUTDdm 
MvUD_iMdm M UD <- IRMdm & (MRUdu|MDRUdu) & 
(MRDudjMURDod) & 
(MTDdinlMirrDdm) 
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TABLE XlX-continued 



^ite telection mode tnrth table 

RMum £ RMdm & (Rumu | RDUmu) & 
(RUdu I RDUdtt) & (RDmd | tn>md) 
TMRvote mPiKHRUDotn 



10 



PaihFauH 



Fault Vjtei 

At: Sotiition Boolean Equation 



MvMU_lDdn D MU <- RMum t (MRUinuptlDRUniu) & 

IMRUdu & IMDRUdu & IMIDdu & 
'MUTDdu 

MvMD_fUda U MD <- RMdm & (MRDmdp^URDmd) & 

•MRUdu & IMDRUdu & 
(MTDdulMUindu) 

Multiple faults resulting ia Single mode voting: SINGLE vote 



End of scan copy: TMRmodc<"TMRvotc, 
DUALmodcoDUALvotc 
20 Example Unc 2 of Path fault: MvMD_fUmu 

My vole is NfY and Downstream, fault located at 
Upstreams MY to Upstream interface: I.E., Upstream 
Receiver is bad. 
The equation reads: 

25 



RMdm -> I received good data from downstream. 

IMRUma -> Upstream rcporta lie did not receive my dato. 

IMDRUmu -> Downstream repoiU that Upstream repoiU he did not 

30 rereive my data. 

MRDmd -> Downstream reports he did receive my data. 

MURDmd -> Upstream reports that Ekrwnstrcam he did receive my 
data. 

TMniu -> My upstream Transmit is good. 
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Note: Vbting UD cases are for fault diagnosis only, M fails 
in this case and does not actually vote. 
Redundant written terms has not been reduced out. 

ABBREVIAnONS 
^ Note: These terms are concatenated to form first and second 
hand status information used to determine the voting mode. 
M-my view 
U-Up's view 
D-Down's view 
v-vote is . . . 
f-fault located at . . . 

Operators: !-not, t=logical "OR", &-Logical "AND" 
RM-my view of another legs data packet sutus through 
My receiver 

RU-Ups view of another legs data packet status through 
UPs receiver 

RD» Downs view of another legs data packet status 

through DNs receiver 
TM-my view of my loop-back status 
TUoUps view of Ups toop-back status 
TD-Downs view of Downs loop-back status 
um=rcsult of transfer from path Up to MY 
dm=result of transfer from path Dn to MY 
Imu-result of my hardware loop-back from Up to MY 
path 

Imd-result of my hardware loop-back from Dn to MY 
path 

rau -result of transfer from path MY to Up 
du*resiilt of transfer from path Dn to Up 
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lum»rcsult of Up hardware loop-back from Up to MY 
path 

hid-result of Up hardware loop-back from Up to Do path 
ud-result of transfer from path Up to Dn 
md result of transfer from path MY to Dn 
Idm-resuU of Do hardware loop-back from Dn to MY 
path 

Idu-rcsult of Dn hardware loop-back firom Dn to Up path 

Skip_0K-Ok to skip a scan. This term prevents the MP 
from skipping consecutive scans or too many scans per 
TBD lime period. 

TMRmode-Last vote was TMRvote. Used to determine. 

DUALmode-Last vote was DUALvote. Used to deter- 
mine. 

SINGLEmode-Last vote was Single vote. 

TMRvotc-\bting TMR this scan. 

DUALvote -Voting DUAL this scan. 

SINGLEvotc-\bting Single this scan. 

Hie method of voting mode selection includes the fol- 
lowing steps:. The SX system chedB the lookup truth table, 
and the capture register values, step 801. The system then 
checks for any faults or any processor leg, step 802. If no 
faults are detected, then the system enters TMR voting 
mode. If a fault is discovered, step 802, the system deter- 
mines if more than one processor is faulted, step 803. If so, 
the system continues in single processor voting mode, step 
804. If all of the processors are faulted, the system halts. 

A hardware clock calendar circuit is used to maintain the 
time and date during the MP power-o£F state and for OSE. 
The synchronization system FPGA firmware based clock 
calendar routines are used to maintain the time and date 
during the MP power-on state. This time is voted between 
the MPs. 

ATTENUATED HARDWARE 
COMMUNICAnON INTERFACE LOOP-BACK 

TriBus channel transmit data loop-back receiver-checkers 
independently check the upstream and downstream transmit 
data drivers. As shown in FIG. 24 Loop-back registers 99 
and 100 are connected through the base-plate so that the 
transmit data driver base-plate connectors pins will also be 
diagnosed. The loop-bade receivers are sli^tly attenuated 
vrtth respect the MPs upstream and downstream receivers so 
that a weak transmitter will be detected by the loop-back 
receiver before it is detected by the up or downstream 
receiver- This feature provides extremely accurate fault 
identification and location. 

When data signals arc transmitted to adjacent processors 
on the various processor legs as shown in FIGS. HA and 
IIB, each processor 90, 91 and 92 has an upstream and 
downstream loop back path, 906, 90d, 916, 91d, 92b and 
92d!, respectively. The loop back capture registers capture 
the level of the signal. The signals are attenuated to switch 
the signal value received by the other upstream and down- 
stream processors. Since the loop -back signal is first 
received by the transmitting processor, the expected return 
value can be evaluated. 
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TERMS AND ACRONYMS USED IN THIS 
SPECIHCAnON 
Channel (Also know as Leg) An independent I/O Input- 
>MP->I/0 Output path 



1 rTU 

LKJa 




]jC2A Bus 


Bus between MP nod IjtmtiI Comimiiucstioii 




module 


1 tn A* Tr\ 
LIU 01 lu 




lOP 


System Input Outpul Ptoccsaoj 


lOP Bus 


Ous between MPyiOP nn4 exp&nxicn lOP s 


UQX or lOX 


S^'stem Ii^nit/Output Executive finnwurc 


Mr 




LRXM tn RXM 


System Remote Bxtendei Module 


L^A. 01 OA 






tiLveadon 


MAU 


Media Adapter Unit • for 803.2 networlta 


TMR 


Triple Modular Reduadani 


TRICON 


HUCONEX Fault "Iblerant PljC 


chanoel. 


MP inler-proccisor comrnuni cations bus 


TiiLan 


Triplicated Peer to Peer Bus 


Tiinode 


A System MP oa TriLan 


tynchronizalitm system 


MP Time syachioinzation subsystem 


DMA 


Direct memory access 


TCP/IP 


TransmiuioQ Cdntrol Protocol/Intenict 




Protocol 


PC 


Personal computer 


DCS Host 


Distiibuled processor contiul systems host 


LAN 


Local area aetwoik 


Legi 


Channel 


LMP/UOP or MP/lOP 


Main processor^put ou^t module 


Modbus 


A Modioon protocol bos 


LCB 


Local communicatioiia bus 


Diniiol Program 


Program developed by user far cootiol of 




indiutrial environment 


FRS 


Field replaceable subsystem 



While spcci&c embodiments of this invention has bcca 
35 described above, those skilled in the art will readily appre- 
ciate that many modifications are possible in the specific 
embodiment, without materially departing from the novel 
teachings and advantages of this invention. Accordingly, all 
such modifications are intended to be included within the 
scope of this invention. 
Having thus described the invention what is claimed is: 
1. A controller for executing an application program to 
process control information related to control elements 
comprising: 

a plurality of main processor modules each of which runs 
''^ the application program; 

at least one input/output module for receiving and sending 
control information to said control elements, commu- 
nicating with each main processor module; 

at least one communication module communicating exter- 
nal signals to said plurality of main processor modules; 

a time synchronizing system for synchronizing the time 
clocks of said main processor inodules; 

a voting system which exchanges information between 
selected ones of said main processor modules of said 
55 plurahty of main processor modules and compares the 
information in each main processor module with the 
information in other selected ones of said main pro- 
cessor modules; 

apparatus for sending a rendezvous agnal to all othe r 
60 • hiam prbggsnr igoduies :. 

apparatus foTreceiving a rendezvous signal from all other 
main processor modules; 

a system for determining the clocking midpoint of all 
processor signals; 
65 a clock update apparatus which sends update signals to 
the clock to increase the clock rale if slower than the 
clocking midpoint; 
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a clock update apparatus which scads update signals to 
the clock to decrease the clock rate if faster than the 
clockiDg iiu<^oint; and 

a plurality of separate housings for enclosing electronic 
circuit boards representing said modules, having a 
common physical characteristics for receiving said 
electronic circuit boards and providit^ housing elec- 
trical connectors. 

2. A controller as described in claim 1 wherein there are 
a plurality of base plate drcuit boards, selected ones of said 
base plate circuit boards receiving said housing for said 
main processor modules, other selected ones of said base 
plate circuit boards receiving said housing for said at least 
one input/ou^ut module, and still other selected ones of said 
base plate circuit boards receiving said bousing for said at 
least one communication module. 

3. A controller as described in claim 1 wherein each of 
said plurality of housings includes a mounting fastener 
attached to said housing which is used to mount said housing 
to said baseplate circuit board and remove said housing firam 
said base plate circuit board. 

4. A controller as described in claim 3 wherein said 
fastener is an elongated screw whidi is rotatable attached to 
said housing along its length such that when the screw is 
rotated in a first direction the housing electrical connectors 
are pulled into engagement with said base plate electrical 
connectors and when turned in an opposite direction pulls 
said housing electrical connectors out of engagement with 
said base plate electrical connectors. 

5. A controller as described in claim 3 further comprising 
a sensor for sensing a change in position of said fastener and 
a module remove detector system for indicating that the 
fastener position has changed. 

6. A controller for executing an application program to 
process control information related to control elements 
comprising: 

a plurality of main processor modules each of which runs 
the application program; 

at least one input/output module for receiving and sending 
control information to said control elements commu- 
nicating with each main processor module; 

a time synchronizing system for synchronizing the time 
clocks of said main processor module^ 

a voting system which exchanges information between 
selected ones of said main processor modules of said 
phirality of main processor modules and compares the 
information in each selected main processor module 
with the information in other selected ones of said main 
processor modules; 

a selection system which determines whidi of said plu- 
rality of main processor modules is a selected one of 
said plurality of main processor modules which is used 
to compare information in each main processor mod- 
ule; 

apparatus for sending a rendezvous signal to all other 

main processor modules; 
apparatus for receiving a rendezvous signal £rom all other 

main processor modules; 
a system for determining the clocking midpoint of all 

processor signals; 
a clock update apparatus which sends update signals to 

the clock to increase the clock rate if slower than the 

clocking midpoint; and 
a clock update apparatus which sends update signals to 

the clock to decrease the clock rate if faster than the 

clocking midpoint 
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7. A controller as described in claim 6 wherein there arc 
a plurality of separate housings for enclosing electronic 
circuit boards representing said modules, having a common 
physical characteristics for receiving said electronic circuit 

5 boards and providing housing electrical coimcctors and 
wherein there are a plurality of base plate circuit boards, 
selected ones of said base plate circuit boards receiving said 
housing for said main processor modules, and other selected 
ones of said base plate drcuit boards receiving said housing 

10 for said at least one input/output module. 

8. A controller as described in claim 6 wherein said 
housing includes a mounting fastener attached to said hous- 
ing which is used to mount and remove said housing from 
said base plate circuit board by manipulation of said fas- 

15 tcner. 

9. A controller as described in claim S wbercm said 
fastener is an elongated screw which is rotatable attached to 
said housing along its length such that when the screw is 
rotated in a first direction the housing electrical connectors 

20 arc pulled into engagement with said base plate electrical 
connectors and when turned in an opposite direction pulls 
said housing electrical connectors out of engagement with 
said base plate electrical connectors. 

10. AcontnjUer as described in daim 8 further comprising 
25 a sensor for sensing a change in position of said fastener and 

a module remove detector system for indicating that the 
fastener position has changed. 

11. A controller for executing an application program to 
process control information related to control elements 

30 comprising: 

a plurality of main processor modules each of which runs 
the application program; 

at least one input/output module for receiving and sending 
control information to control elements, communicat- 
ing with each main processor module; 

at least one communication module communicating exter- 
nal signals to said plurality of main processor modules; 

a time synchronizing system for synchronizing the time 
40 clocks of said main processor modules; 

a voting system which exchanges information between 
selected ones of said main processor modules of said 
plurality of modules and compares the information in 
each main processor module with the information in 
45 other selected ones of said main processor modules; 

a selection system whidi determines which of said plu- 
rality of main processor modules is a selected one of 
said pltu-ality of main processor modules which is used 
to compare information in each main processor mod- 
50 ule; 

apparatus for sending a rendezvous signal to all other 

main processor modules; 
apparatus for receiving a rcndcrvous signal from all other 

main processor modules; 
a system for determining the clocking midpoint of all 

processor signals; 
a dock update apparatus which sends update signals to 

the clock to increase the clock rate if slower than the 
60 clocking midpoint; and 

a clodc update apparatus which sends update signals to 

the clock to decrease the clock rate if faster than the 

clocking midpoint 

12. A controller as described in claim 11 wherein there arc 
65 a plurality of separate housings for enclosing electronic 

circuit boards representing said modules, having a common 
physical characteristics for receiving said electronic drcuit 
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boar(k and providing housing dcctrical connectors and 
wherein there are a phirality of base plate circuit boards, 
selected ones of said base plate circuit boards receiving said 
housing for said main processor modules, other selected 
ones of said base plale circuil boards receiving said houang 5 
for said at least one input/oulpul module, and still other 
selected ones of said base plate circuit boards receiving said 
bousing for said at least one communication module. 

13. A controller as described in claim 11 wherein there are 
a plurality of separate housings for enclosing electronic 
circuil boards representing said modules, having a common 
physical characteristics for receiving said electronic circuit 
boards and providing housing electrical connectors and 
wherein said housing inchides a mounting fastener attached 
to said housing which is used to mount and remove said 
housing from said base plate circuil board. 

14. A controller as described in claim 13 wherein said 
fastener is an elongated screw which is rotatable attached to 
said housing along its length such that when the screw is 
rotated in a first direction the housing electrical connectors 
are pulled into engagement with said base plate electrical 20 
connectors and when tumcd in an opposite direction pulls 
said housing electrical connectors out of engagement with 
said base plate electrical connectors. 

15. A controller as described in claim 13 further compris- 
ing a sensor for sensing a change in position of said fastener 25 
and a module temove detector system for indicating that the 
fastener position has changed. 

16. A controller for executing an application program to 
process control information related to control elements 
comprising: 30 

a plurality of main processor modules each of which runs 
the application program; 

at least one input/output module for receiving and sending 
control information to control elements communicating 
with each main processor module; ^5 

a time synchronizing system for synchronizing the time 
clodcs of said main processor modules; 

a voting system which exchanges information between 
selected ones of said main processor modules of said 
plurahty of modules and compares the information in 
each main processor module with the infonnation in 
other selected ones of said main processor modules; 

apparatus for sending a rendezvous signal to all other 
main processor modules; 

apparatus for receiving a rendezvous signal from all other 
main processor modules; and 

a clock update apparatus which sends update signals to 
the clock based on the clodcing midpoint of all pro- 
cessor signals. 

17. A controller for executing an application program to 
process control information related to control elements 
comprising: 

a plurality of main processor mocfailes each of which runs 
the application program; 

a time synchronizing system for synchronizing the lime 
clocks of said main processor modules; 

a voting system whidi exchanges information between 
selected ones of said main processor modules of said 
plurality of modules and compares the information in so 
each main processor module with the information in 
other selected ones of said main processor modules; 

a selection system which determines which of said phi- 
rality of main processor modules is a scbcted one of 
said plurality of main processor modules which is used 65 
to compare information in each main processor mod- 
ule; 
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a plurality of separate housings for enclosing electronic 
ciicuit boards representing said modules, having a 
common physical characteristics for receiving said 
electronic circuit boards and providing housing elec- 
trical connectors; 

at least one base plate circuit board for mounting each 
module which provides base plate electrical connectors 
far receiving the housing electrical connectors; 

apparatus for sending a rendezvous signal to all other 
main processor modules; 

apparatus for receiving a rendezvous signal from all other 
main processor modules; and 

a clock update apparatus which sends update signals to 
the clock based on the clocking midpoint of all pro- 
cessor signals. 

18. A controller as desoibed in claim 17 wherein there are 
a plurality of base plate circuit boards receiving said housing 
for said main processor modules. 

19. A controller as described in claim 17 wherein said 
housing includes a mounting fastener attached to said hous- 
ing v^ich is used to mount and remove said housing from 
said base plate circuit board. 

20. A controller as described in claim 19 wherein said 
fastener is an elongated screw which is rotatable attached to 
said housing along its length such that when the screw is 
rotated in a first direction the housing electrical connectors 
are pulled into engagement with said base plate electrical 
connectors and when turned in an opposite direction puUs 
said housing electrical connectors out of engagement with 
said base plate electrical connectors. 

21. A controller as described in claim 19 further compris- 
ing a sensor for sensing a change in position of said fastener 
and a module remove detector system for indicating that the 
fastener position has changed. 

22. A controller as described in claim 17 further compris- 
ing at least one input/output module for receiving and 
sendbg control information to control elements in said 
control system communicating with each of said plurality of 
main processor modules. 

23. A controller as described in claim 17 further compris- 
ing at least one communication module receiving commu- 
nicating external signals to of said plurality of main proces- 
sor modules. 

24. A controller as described in claim 17 further compris- 
ing: 

at least one input/output module for receiving and sending 
control information to control elements in said control 
system communicating with each of said plurality of 
main processor modules; and 

at least one communication module for sending and 
receiving external signals communicating with each of 
said plurality of main processor modules. 

25. A control system platform for executing an application 
program to process control information related to control 
elements comprising: 

a plurality of main processor modules each of which runs 
the application program; 

at least one input/output module for receiving and sending 
control information to control elements communicating 
with each main processor module; 

at least one communication module communicating exter- 
nal signals to said plurality of main processor modules; 

a time synchronizing system for synchronizing the time 
clocks of said main processor modules; 

a voting system which exchanges information between 
selected ones of said main processor modules of said 
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phinlity of modules and compares the infonnation in 
each main processor module with the iofomiatioa in 
other selected ones of said main processor modules; 
a selection system which determines which of said pki- 
rality of main processor modules is a selected one of 
said plurality of main processor modules wfaicfa is used 
to compare information in each main processor mod- 
ule; 

a plurality of separate housings for enclosing electronic 
circuit boards representing said modules, having a 
common physical characteristics for receiving said 
electronic circuit boards and providing bousing elec- 
trical connectors; 

apparatus for sending a rendezvous signal to all other 
main processor modules; 

apparatus for receiving a rendezvotis signal firom all other 
main processor modules; and 

a clock update apparatus which scads update signals to 
the clock based on the clocking midpoint of all pro- 
cessor signals. 

26. A control system platform described in claim 25 
wherein there arc a plurality of base plate circuit boards, 
selected ones of said base plate circuit boards receiving said 
housing for said main processor modules, other selected 
ones of said base plate circuit boards receiving said housing 
for said at least one input/output module, and still other 
selected ones of said base plalc circuit boards receiving said 
housing for said at least one communication module. 

27. A control system platform as described in claim 25 
wherein said housing includes a mounting fastener attached 
to said housing which is used to mount and remove said 
housing from said base plate circuit board. 

28. A control system platform as described in claim 27 
wherein said fastener is an elongated screw which is rotat- 
able attached to said housing along its length such that when 
the screw is rotated in a first direction the housing electrical 
connectors are pulled into engagement with said base plate 
electrical connectors and when turned in an opposite direc- 
tion pulls said housing electrical connectors out of engage- 
ment with said base plate electrical connectois. 

29. A control system platform as described in claim 27 
further comprising a sensor for sensing a change in position 
of said fastener and a module remove detector system for 
indicating that the fastener position has changed. 

30. A control system platform for executing an apphcaUon 
program to process control information related to control 
elements comprising: 

a plurality of main processor modules each of which nms 
the application program; 

at least one input/output module for receiving and sending 
control information to control elements communicating 
with each main processor module; 

a time synchronizing system for synchronizing the time 
clocks of said main processor modules; 

a voting system whidi exchanges information between 
selected ones of said main processor modules of said 
phirality of modules and compares the information in 
each main processor module with the information in 
other selected ones of said main processor modules; 

a selection system which determines whidi of said plu- 
rality of main processor modules is a selected one of 
said plurality of main processor modules which is used 
to compare information in each main processor mod- 
ule; 

a plurality of separate housings for enclosing electronic 
circuit boards representing said modules, having a 
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common physical characteristics for receiving said 
electronic circuit boards and providing housing elec- 
trical connector^ 
at least one base plate drcuit board for moimting each 
module w^cfa provides base plate electrical connectors 
for receiving the housing electrical connectors; 
a common rail system for moimting of said at least one 
base plate circuit board and providing electrical con- 
nections to each of said housings; 
apparatus for sending a rendezvous si^al to all other 

main processor modules; 
apparatus for receiving a rendezvous signal from aU other 

main processor mochiles; and 
a clock update apparatus which sends update signals to 
the clock based on the clocking midpoint of all pro- 
cessor signals. 

31. A control system platform as described in claim 30 
wherein there arc a plurality of base plate circuit boards, 

20 selected ones of said base plate circuit boards receiving said 
bousing for said main processor modules, and other selected 
ones of said base plate circuit boards receiving said bousing 
for said at least one input/output modtile. 

32. A control system platform as described in claim 30 
wherein said housing includes a mounting fastener attached 
to said housing which is used to motmt and remove said 
housing from said base plate circuit board. 

33. A control system platform as described in claim 32 
wherein said fastener is an elongated screw which is rotat- 
able attached to said housing along its length such that when 
the screw is rotated in a first direction the housing electrical 
connectors are pulled into engagement with said base plate 
electrical connectors and when turned in an opposite direc- 
tion pulls said housing electrical connectors out of engage- 
ment with said base plate electrical connectors. 

34. A control system platform as described in claim 32 
further comprising a sensor for sensing a change in position 
of said fastener and a module remove detector system for 
indicating that the fastener position has changed. 

35. A control system platform as described in claim 30 
further comprising at least one communication module 
receiving communicating external signals to of said plurality 
of main processor modules. 

36. A computer control system for executing an applica- 
tion program to process control information related to con- 
trol elements comprising: 

a plurality of main processor modules each of which runs 

the application program; 
at least one input/output module for receiving and sending 
control information to control elements commtmicating 
with each main processor module; 
a time syiKhronizing system for synchronizing the time 

clocks of said main processor modules; 
a voting system which exchanges information between 
selected ones of said main processor modules of said 
plurality of modides and compares the information in 
each main prcKessor module with the information in 
other selected ones of said main prcx:essor modules; 
a selection system which determines which of said plu- 
rality of main processor modules is a selected main 
processor module which is used to compare informa- 
tion in each main processor module; 
a plurality of separate housings for enclosing electronic 
circuit boards representing said modules, having a 
common physical characteristics for receiving said 
electronic circuit boards; 
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a cQinmoD rail system for mounting of said housing and 
providing electronic oonDcctions to each of said hous- 
ings; 

apparatus for sending a rendezvous signal to all other 

main processor modules; 
apparatus for receiving a rendezvous signal firom all other 

main processor modules; 
a system for determining Ihc clocking midpoint of all 

processor signals; 
a clock update apparatus which sends update signals to 

the clock to increase the clock rale if slower than the 

clocking midpoint; and 
a clock update apparatus which sends update signals to 

the clock to decrease the clock rate if faster than the 

clocking midpoint 

37. A conlrol system platform for executing a control 
system program for managing a control system and evalu- 
ating the accuracy of information related to said control 
system, said platfomi comprising: 

a plurality of main processor modules, each executing a 

copy of said application program; 
at least one &cld input/output module communicating 

with each main processor module; 
a voting system for comparing information between said 

main processor modules, and 
a restoring system for restoring valid information for 

access by said main processor modules; 
apparatus for sending a rendezvous signal to all other 

main processor modules; 
apparatus for receiving a rendezvous signal from all other 

main processor modules; and 
a clock update apparatus which sends update signals to 

the clock based on the clocking midpoint of all pro- 
cessor signals. 

38. A control system platform as described in claim 37 
wherein said information is selected from the group con- 
sisting of: 

program code, 
fatilt detection information, 
sensor information, 
command information, 
output information, and 
input information. 

39. A control system for executing an application program 
and evaluating the accuracy of input/output information 
comprising: 

a plurality of main processor modules, each executing 
said application program; at least one field input/output 
module communicating with each main processor mod- 
ule; 

a voting system for comparing information between said 
main processor modules; and 

a time synchronizing system for synchronizing the time 
clocks of said main processor modules including: 

apparatus for sending a rendezvous signal to all other 
main processor modules, 

apparatus for receiving a rendezvous signal from all other 
main processor modules, and 

a clock update apparatus which sends update signals to 
the clock based on the clocking midpoint of all pro- 
cessor signals. 

40. A voting system which exchanges information 
between selected ones of a main processor modules of said 



plurality of modules and compares the information in each 
main processor module with the information in other 
selected ones of said main processor modules composing: 
an apparatus for loading control system related informa- 
tion from each processor for storage in every other 
processor, 

a comparison apparatus for comparing loaded control 
system related information with the comparing proces- 
sor's control syston information; 
memory for storing the results of said comparison; a 
selection apparatus for determining which loaded infor- 
mation compares with said comparing processor's 
information; 

a default apparatus for storing a default indication where 
the comparing processor's information fails to compare 
vnth a majority of said loaded processor information; 
and 

a time synchronizing system for synchronizing the time 
clocks of said main processor modules including: 
apparatus for sending a rendezvous signal to all other 

main processor modules, 
apparatus for receiving a rendezvous signal from all 

other main processor modules, and 
a dock update apparatus which sends update signals to 
the clock based on the clocking midpoint of all 
processor signals. 

41. A control system for executing an application program 
and evaluating the accuracy of input/output information 
comprising: 

a plurality of main processor modules; 
at least one field input/output module communicating 

with each main processor module; 
a voting system for comparing information between said 

main processor modules; and 
a time synchronizing system for synchronizing the lime 
clocks of said main processor modules including: 
apparatus for sending and receiving rendezvous signals 
to and from all other main processor modules, and 
^ a clock update apparatus which sends update signals to 
the clock based on the clocking midpoint of all 
processor signals. 

42. A control system platform for running a control 
system program which processes information related to a 

''^ control system; said control system platform comprising: 
a plurality of processors executing said control system 
program and processing said control system informa- 
tion said processors mounted to a common power rail; 
at least one input/output module for sending and receiving 
said information related to said conlrol system; com- 
municating with each of said processors mounted to 
said common power rail communicating with said 
plurality of processors; 
at least one commimication module for receiving external 
signals and exchanging external signals with each of 
said processors and external signals; mounted to said 
common power rail communicating with said phirality 
of processors over a communications bus; 
a validation system on each processor for evaluating said 
control system information to be processed by said 
control system program prior to processing by said 
control system program; said evaluation system com- 
paring categories of information stored in memory on 
each processor with the same category of information 
in memory on other processors and selecting informa- 
tion on which a majority of processors compare as valid 
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information and storing said valid infonnation into the 
memory of any processor for which the information did 
not compare with the majority of processors; 

each of said processors being intercoimected on an inter- 
processor bus throu^ a loop-back path; said loop back ^ 
path applying the signals for transmitting information 
by each transmitting processor to other processors on 
said bus as an attenuated loop-back signal to said 
transmitting processor; 

a storage area in the transmitting processor memory for 
storing said loop-back information; 

a comparator for comparing signals transmitted by said 
other processors on said bus with said loop back signab 
to determine if the information in said loop-back sig- 
nals is the same as the signals transmitted by said other 
processors; and 

a tim e synchronizing system for synchronizing the time 
clocks of said main processor modules including appa- 
ratus for sending and receiving rendezvous signals to 20 
and from all other main processor modules and a clock 
update apparatus which sends update signals to the 
clock based on the clocking midpoint of all processor 
signals. 

43. A method for determining the voting mode of a 2s 
plurality of processors each having memory and coupled to 
a inter processor bus comprising the steps of: 
exchanging information with said plurality of processors 
over said bus transmitting a category of infonnation 
from a first processor on said bus to a second processor 30 
on the bus; 

passing said transmitted information through an attenu- 
ated loop-back path to said first processor; 

capturing said transmitted loop-back infonnation in said 
first processor memory; 

comparing said attenuated loop back information cap- 
tured in said first processor memory with the informa- 
tion transmitted by said first processor; 

storing a first result of said comparing in said first 40 
processor's memory; 

faulting the first processor when the first result indicates 
a difference in said information; 

capturing second processor information which is received 
by said first processor from a second processor on said 
bus in said first processor memory; 

comparing said second processor captured information 
with the same category of information in said first 
processor; 
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faulting the second processor when the second result 

indicates a difference in said information; 
reconfiguring said system to perform comparison with 

memory information from other processors without 

using faulted processors; 
sending a rendezvous signal to said first processor; 
receiving a rendezvous signal from said first processor; 

and 

updating the clock of said first processor and said second 
processor based on the clocking midpoint of all pro- 
cessor signals. 

44. A method of voting between a plurality of processors 
having memory comprising the steps of: 

exchanging information between said processors; 
comparing infonnation in selected categories in each 

processor, with , the information received from other 

processors in the same selected category; 
determining if said information conforms in a majority of 

processors in said category; and 
restoring said conformed category of information in all 

non-conforming processors; 
sending a rendezvous signal to the other processors; 
receiving a rendezvous signal from the other processors; 

and 

sending update signals to the clock based on the clocking 
midpoint of all processor signals. 

45. A method of voting as described in claim 44 com- 
prising the following additional step of determining a mid- 
point value where three processors are voting analog input 
information. 

46. A method of voting as described in claim 44 com- 
prising the following additional step of determining a major- 
ity value where three processors are voting discrete input 
information. 

47. A method of voting as described in claim 44 com- 
prising the following additional step of determining an 
average value where two processors are voting analog input 
information. 

48. A method of voting as described in claim 44 com- 
prising the following additional step of determining a tmani- 
mous valtie where two processors are voting discrete input 
information. 

* * * o * 
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